System Management Configuration Guide, Cisco IOS XE ...

System Management Configuration Guide, Cisco IOS XE Amsterdam17.2.x (Catalyst 9500 Switches)First Published: 2020-03-30

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)

© 2020 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/c/en/us/about/legal/trademarks.html

C O N T E N T S

Administering the Device 1C H A P T E R 1

Information About Administering the Device 1

System Time and Date Management 1

System Clock 1

Network Time Protocol 2

NTP Stratum 3

NTP Associations 3

NTP Security 5

NTP Services on a Specific Interface 6

Source IP Address for NTP Packets 6

NTP Implementation 6

System Name and Prompt 7

Stack System Name and Prompt 8

Default System Name and Prompt Configuration 8

DNS 8

Default DNS Settings 8

Login Banners 8

Default Banner Configuration 9

MAC Address Table 9

MAC Address Table Creation 9

MAC Addresses and VLANs 9

MAC Addresses and Device Stacks 9

Default MAC Address Table Settings 10

ARP Table Management 10

How to Administer the Device 10

Configuring the Time and Date Manually 10

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)iii

Setting the System Clock 11

Configuring the Time Zone 11

Configuring Summer Time (Daylight Saving Time) 12

Configuring NTP 14

Default NTP Configuration 14

Configuring NTP Authentication 15

Configuring Poll-Based NTP Associations 16

Configuring Broadcast-Based NTP Associations 18

Configuring NTP Access Restrictions 19

Configuring a System Name 21

Setting Up DNS 22

Configuring a Message-of-the-Day Login Banner 24

Configuring a Login Banner 25

Managing the MAC Address Table 26

Changing the Address Aging Time 26

Configuring MAC Address Change Notification Traps 27

Configuring MAC Address Move Notification Traps 29

Configuring MAC Threshold Notification Traps 31

Disabling MAC Address Learning on VLAN 33

Adding and Removing Static Address Entries 34

Configuring Unicast MAC Address Filtering 36

Monitoring and Maintaining Administration of the Device 36

Configuration Examples for Device Administration 37

Example: Setting the System Clock 37

Examples: Configuring Summer Time 38

Example: Configuring a MOTD Banner 38

Example: Configuring a Login Banner 38

Example: Configuring MAC Address Change Notification Traps 39

Example: Configuring MAC Threshold Notification Traps 39

Example: Adding the Static Address to the MAC Address Table 39

Example: Configuring Unicast MAC Address Filtering 40

Additional References for Device Administration 40

Feature History for Device Administration 40

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)iv

Contents

Boot Integrity Visibility 41C H A P T E R 2

Information About Boot Integrity Visibility 41

Verifying the Software Image and Hardware 41

Verifying Platform Identity and Software Integrity 42

Additional References for Boot Integrity Visibility 45

Feature History for Boot Integrity Visibility 45

Performing Device Setup Configuration 47C H A P T E R 3

Restrictions for Performing Device Setup Configuration 47

Information About Performing Device Setup Configuration 47

Device Boot Process 47

Software Install Overview 48

Software Boot Modes 49

Installing the Software Package 50

Terminating a Software Install 50

Devices Information Assignment 51

Default Switch Information 51

DHCP-Based Autoconfiguration Overview 51

DHCP Client Request Process 52

DHCP-Based Autoconfiguration and Image Update 53

Restrictions for DHCP-Based Autoconfiguration 53

DHCP Autoconfiguration 53

DHCP Auto-Image Update 54

DHCP Server Configuration Guidelines 54

Purpose of the TFTP Server 55

Purpose of the DNS Server 55

How to Obtain Configuration Files 55

How to Control Environment Variables 56

Common Environment Variables 57

Environment Variables for TFTP 58

Scheduled Reload of the Software Image 59

How to Perform Device Setup Configuration 59

Configuring DHCP Autoconfiguration (Only Configuration File) 59

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)v

Contents

Configuring DHCP Auto-Image Update (Configuration File and Image) 61

Configuring the Client to Download Files from DHCP Server 64

Manually Assigning IP Information to Multiple SVIs 65

Modifying Device Startup Configuration 67

Specifying a Filename to Read and Write a System Configuration 67

Manually Booting the Switch 68

Booting the Device in Installed Mode 69

Booting a Device in Bundle Mode 71

Configuring a Scheduled Software Image Reload 72

Configuration Examples for Device Setup Configuration 73

Examples: Displaying Software Bootup in Install Mode 73

Example: Emergency Installation 76

Example: Managing an Update Package 77

Verifying Software Install 88

Example: Configuring a Device as a DHCP Server 91

Example: Configuring DHCP Auto-Image Update 91

Example: Configuring a Device to Download Configurations from a DHCP Server 91

Example: Scheduling Software Image Reload 92

Additional References For Performing Device Setup 92

Feature History for Performing Device Setup Configuration 92

Configuring Smart Licensing 95C H A P T E R 4

Prerequisites for Configuring Smart Licensing 95

Introduction to Smart Licensing 95

Overview of CSSM 96

Connecting to CSSM 96

Linking Existing Licenses to CSSM 98

Configuring a Connection to CSSM and Setting Up the License Level 98

Setting Up a Connection to CSSM 98

Configuring the Call Home Service for Direct Cloud Access 101

Configuring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server 102

Configuring the Call Home Service for Cisco Smart Software Manager On-Prem 105

Configuring the License Level 107

Registering a Device on CSSM 108

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)vi

Contents

Generating a New Token from CSSM 109

Registering a Device with the New Token 110

Verifying the License Status After Registration 111

Canceling a Device's Registration in CSSM 112

Monitoring Smart Licensing Configuration 113

Configuration Examples for Smart Licensing 114

Example: Viewing the Call Home Profile 114

Example: Viewing the License Information Before Registering 114

Example: Registering a Device 117

Example: Viewing the License Status After Registering 117

Additional References 120

Feature History for Smart Licensing 120

Configuring Application Visibility and Control in a Wired Network 123C H A P T E R 5

Information About Application Visibility and Control in a Wired Network 123

Supported AVC Class Map and Policy Map Formats 124

Restrictions for Wired Application Visibility and Control 125

How to Configure Application Visibility and Control 126

Configuring Application Visibility and Control in a Wired Network 126

Enabling Application Recognition on an interface 127

Creating AVC QoS Policy 128

Applying a QoS Policy to the switch port 130

Configuring Wired AVC Flexible Netflow 130

NBAR2 Custom Applications 147

NBAR2 Dynamic Hitless Protocol Pack Upgrade 149

Monitoring Application Visibility and Control 151

Examples: Application Visibility and Control Configuration 152

Basic Troubleshooting - Questions and Answers 164

Additional References for Application Visibility and Control 165

Feature History for Application Visibility and Control in a Wired Network 165

Configuring SDM Templates 167C H A P T E R 6

Information About SDM Templates 167

Customizable SDM Template 168

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)vii

Contents

Overview of Customizable SDM Template 168

System resource allocation for Customizable SDM Template 170

Customizable SDM Template and High Availability 170

Customizable SDM Template and StackWise Virtual 171

Customizable SDM Template and ISSU 171

SDM Templates and Switch Stacks 171

How to Configure SDM Templates 172

Setting the SDM Template 172

Monitoring and Maintaining SDM Templates 173

Configuration Examples for SDM Templates 174

Examples: Displaying SDM Templates 174

Examples: Configuring SDM Templates 176

Additional References for SDM Templates 176

Feature History for SDM Templates 176

Configuring System Message Logs 179C H A P T E R 7

Information About Configuring System Message Logs 179

System Messsage Logging 179

System Log Message Format 180

Default System Message Logging Settings 181

Syslog Message Limits 181

How to Configure System Message Logs 182

Setting the Message Display Destination Device 182

Synchronizing Log Messages 183

Disabling Message Logging 185

Enabling and Disabling Time Stamps on Log Messages 186

Enabling and Disabling Sequence Numbers in Log Messages 186

Defining the Message Severity Level 187

Limiting Syslog Messages Sent to the History Table and to SNMP 188

Logging Messages to a UNIX Syslog Daemon 188

Monitoring and Maintaining System Message Logs 190

Monitoring Configuration Archive Logs 190

Configuration Examples for System Message Logs 190

Example: Switch System Message 190

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)viii

Contents

Additional References for System Message Logs 190

Feature History for System Message Logs 190

Configuring Online Diagnostics 193C H A P T E R 8

Information About Configuring Online Diagnostics 193

Generic Online Diagnostics (GOLD) Tests 194

How to Configure Online Diagnostics 201

Starting Online Diagnostic Tests 201

Configuring Online Diagnostics 202

Scheduling Online Diagnostics 202

Configuring Health-Monitoring Diagnostics 203

Monitoring and Maintaining Online Diagnostics 206

Configuration Examples for Online Diagnostics 207

Examples: Start Diagnostic Tests 207

Example: Configure a Health-Monitoring Test 207

Example: Schedule Diagnostic Test 207

Example: Displaying Online Diagnostics 207

Additional References for Online Diagnostics 209

Feature Information for Configuring Online Diagnostics 209

Managing Configuration Files 211C H A P T E R 9

Prerequisites for Managing Configuration Files 211

Restrictions for Managing Configuration Files 211

Information About Managing Configuration Files 211

Types of Configuration Files 211

Configuration Mode and Selecting a Configuration Source 212

Configuration File Changes Using the CLI 212

Location of Configuration Files 212

Copy Configuration Files from a Network Server to the Device 213

Copying a Configuration File from the Device to a TFTP Server 213

Copying a Configuration File from the Device to an RCP Server 214

Copying a Configuration File from the Device to an FTP Server 215

Copying files through a VRF 216

Copy Configuration Files from a Switch to Another Switch 216

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)ix

Contents

Configuration Files Larger than NVRAM 217

Configuring the Device to Download Configuration Files 217

How to Manage Configuration File Information 218

Displaying Configuration File Information 218

Modifying the Configuration File 219

Copying a Configuration File from the Device to a TFTP Server 220

What to Do Next 221

Copying a Configuration File from the Device to an RCP Server 221

Examples 222

What to Do Next 223

Copying a Configuration File from the Device to the FTP Server 223

Examples 224

What to Do Next 225

Copying a Configuration File from a TFTP Server to the Device 225

What to Do Next 226

Copying a Configuration File from the rcp Server to the Device 226

Examples 227

What to Do Next 227

Copying a Configuration File from an FTP Server to the Device 227

Examples 228

What to Do Next 229

Maintaining Configuration Files Larger than NVRAM 229

Compressing the Configuration File 229

Storing the Configuration in Flash Memory on Class A Flash File Systems 231

Loading the Configuration Commands from the Network 232

Copying Configuration Files from Flash Memory to the Startup or Running Configuration 233

Copying Configuration Files Between Flash Memory File Systems 234

Copying a Configuration File from an FTP Server to Flash Memory Devices 235

What to Do Next 236

Copying a Configuration File from an RCP Server to Flash Memory Devices 236

Copying a Configuration File from a TFTP Server to Flash Memory Devices 237

Re-executing the Configuration Commands in the Startup Configuration File 238

Clearing the Startup Configuration 238

Deleting a Specified Configuration File 239

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)x

Contents

Specifying the CONFIG_FILE Environment Variable on Class A Flash File Systems 240

What to Do Next 241

Configuring the Device to Download Configuration Files 242

Configuring the Device to Download the Network Configuration File 242

Configuring the Device to Download the Host Configuration File 243

Feature History for Managing Configuration Files 245

Secure Copy 247C H A P T E R 1 0

Prerequisites for Secure Copy 247

Information About Secure Copy 247

Secure Copy Performance Improvements 248

How to Configure Secure Copy 248

Configuring Secure Copy 248

Enabling Secure Copy on the SSH Server 249

Configuration Examples for Secure Copy 251

Example: Secure Copy Configuration Using Local Authentication 251

Example: Secure Copy Server-Side Configuration Using Network-Based Authentication 251

Additional References for Secure Copy 252

Feature Information for Secure Copy 252

Configuration Replace and Configuration Rollback 255C H A P T E R 1 1

Prerequisites for Configuration Replace and Configuration Rollback 255

Restrictions for Configuration Replace and Configuration Rollback 256

Information About Configuration Replace and Configuration Rollback 256

Configuration Archive 256

Configuration Replace 257

Configuration Rollback 258

Configuration Rollback Confirmed Change 258

Benefits of Configuration Replace and Configuration Rollback 258

How to Use Configuration Replace and Configuration Rollback 259

Creating a Configuration Archive 259

Performing a Configuration Replace or Configuration Rollback Operation 260

Monitoring and Troubleshooting the Feature 263

Configuration Examples for Configuration Replace and Configuration Rollback 265

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)xi

Contents

Creating a Configuration Archive 265

Replacing the Current Running Configuration with a Saved Cisco IOS Configuration File 265

Reverting to the Startup Configuration File 266

Performing a Configuration Replace Operation with the configure confirm Command 266

Performing a Configuration Rollback Operation 266

Additional References for Configuration Replace and Configuration Rollback 267

Feature History for Configuration Replace and Configuration Rollback 268

BIOS Protection 269C H A P T E R 1 2

Introduction to BIOS Protection 269

ROMMON Upgrade 269

Capsule Upgrade 270

Feature History for BIOS Protection 271

Software Maintenance Upgrade 273C H A P T E R 1 3

Restrictions for Software Maintenance Upgrade 273

Information About Software Maintenance Upgrade 273

SMU Overview 273

SMUWorkflow 274

SMU Package 274

SMU Reload 274

How to Manage Software Maintenance Updates 274

Installing an SMU Package 274

Managing an SMU Package 275

Configuration Examples for Software Maintenance Upgrade 276

Example: Managing an SMU 276

Additional References for Software Maintenance Upgrade 281

Feature History for Software Maintenance Upgrade 281

Working with the Flash File System 283C H A P T E R 1 4

Information About the Flash File System 283

Displaying Available File Systems 283

Setting the Default File System 285

Displaying Information About Files on a File System 285

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)xii

Contents

Changing Directories and Displaying the Working Directory 287

Creating Directories 287

Removing Directories 288

Copying Files 288

Copying Files from One in a Stack to Another in the Same Stack 289

Deleting Files 289

Creating, Displaying and Extracting Files 290

Additional References for Flash File System 291

Feature History for Flash File System 292

Performing Factory Reset 293C H A P T E R 1 5

Prerequisites for Performing a Factory Reset 293

Restrictions for Performing a Factory Reset 293

Information About Performing a Factory Reset 293

How to Perform a Factory Reset 294

Configuration Examples for Performing a Factory Reset 296

Additional References for Performing a Factory Reset 299

Feature History for Performing a Factory Reset 299

Configuring Secure Storage 301C H A P T E R 1 6

Information About Secure Storage 301

Enabling Secure Storage 301

Disabling Secure Storage 302

Verifying the Status of Encryption 302

Feature Information for Secure Storage 303

Conditional Debug and Radioactive Tracing 305C H A P T E R 1 7

Topic 1 305

Topic 2 305

Topic 2.1 305

Introduction to Conditional Debugging 305

Introduction to Radioactive Tracing 306

How to Configure Conditional Debug and Radioactive Tracing 306

Conditional Debugging and Radioactive Tracing 306

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)xiii

Contents

Location of Tracefiles 306

Configuring Conditional Debugging 307

Radioactive Tracing for L2 Multicast 308

Recommended Workflow for Trace files 309

Copying tracefiles off the box 309

Monitoring Conditional Debugging 310

Configuration Examples for Conditional Debugging 310

Additional References for Conditional Debugging and Radioactive Tracing 311

Feature History for Conditional Debugging and Radioactive Tracing 311

Consent Token 313C H A P T E R 1 8

Restrictions for Consent Token 313

Information About Consent Token 313

Consent Token Authorization Process for System Shell Access 314

Feature History for Consent Token 315

Troubleshooting the Software Configuration 317C H A P T E R 1 9

Information About Troubleshooting the Software Configuration 317

Software Failure on a Switch 317

Lost or Forgotten Password on a Device 317

Ping 318

Layer 2 Traceroute 318

Layer 2 Traceroute Guidelines 318

IP Traceroute 319

Debug Commands 320

System Report 320

Onboard Failure Logging on the Switch 323

Fan Failures 323

Possible Symptoms of High CPU Utilization 324

How to Troubleshoot the Software Configuration 324

Recovering from a Software Failure 324

Recovering from a Lost or Forgotten Password 328

Procedure with Password Recovery Enabled 330

Procedure with Password Recovery Disabled 331

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)xiv

Contents

Preventing Switch Stack Problems 333

Preventing Autonegotiation Mismatches 334

Troubleshooting SFP Module Security and Identification 334

Executing Ping 335

Monitoring Temperature 335

Monitoring the Physical Path 335

Executing IP Traceroute 336

Redirecting Debug and Error Message Output 336

Using the show platform forward Command 336

Using the show debug command 336

Configuring OBFL 337

Verifying Troubleshooting of the Software Configuration 338

Displaying OBFL Information 338

Example: Verifying the Problem and Cause for High CPU Utilization 339

Scenarios for Troubleshooting the Software Configuration 341

Scenarios to Troubleshoot Power over Ethernet (PoE) 341

Configuration Examples for Troubleshooting Software 343

Example: Pinging an IP Host 343

Example: Performing a Traceroute to an IP Host 344

Additional References for Troubleshooting Software Configuration 345

Feature History for Troubleshooting Software Configuration 345

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)xv

Contents

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)xvi

Contents

C H A P T E R 1Administering the Device

• Information About Administering the Device, on page 1• How to Administer the Device, on page 10• Configuration Examples for Device Administration, on page 37• Additional References for Device Administration, on page 40• Feature History for Device Administration, on page 40

Information About Administering the Device

System Time and Date ManagementYou can manage the system time and date on your device using automatic configuration methods (RTC andNTP), or manual configuration methods.

For complete syntax and usage information for the commands used in this section, see the Cisco IOSConfiguration Fundamentals Command Reference on Cisco.com.

Note

System ClockThe basis of the time service is the system clock. This clock runs from the moment the system starts up andkeeps track of the date and time.

The system clock can then be set from these sources:

• RTC

• NTP

• Manual configuration

The system clock can provide time to these services:

• User show commands

• Logging and debugging messages

System Management Configuration Guide, Cisco IOS XE Amsterdam 17.2.x (Catalyst 9500 Switches)1

The system clock keeps track of time internally based on Coordinated Universal Time (UTC), also known asGreenwich Mean Time (GMT). You can configure information about the local time zone and summer time(daylight saving time) so that the time appears correctly for the local time zone.

The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by atime source considered to be authoritative). If it is not authoritative, the time is available only for displaypurposes and is not redistributed.

Network Time ProtocolThe NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol(UDP), which runs over IP. NTP is documented in RFC 1305. The current protocol is version 4 (NTPv4),which is a proposed standard as documented in RFC 5905. It is backward compatible with version 3, specifiedin RFC 1305.

An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomicclock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient;no more than one packet per minute is necessary to synchronize two devices to within a millisecond of oneanother.

NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritativetime source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time serverreceives its time through NTP from a stratum 1 time server, and so on. A device running NTP automaticallychooses as its time source the device with the lowest stratum number with which it communicates throughNTP. This strategy effectively builds a self-organizing tree of NTP speakers.

NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a devicethat is not synchronized. NTP also compares the time reported by several devices and does not synchronizeto a device whose time is significantly different than the others, even if its stratum is lower.

The communications between devices running NTP (known as associations) are usually statically configured;each device is given the IP address of all devices with which it should form associations. Accurate timekeepingis possible by exchanging NTP messages between each pair of devices with an association. However, in aLAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reducesconfiguration complexity because each device can simply be configured to send or receive broadcast messages.However, in that case, information flow is one-way only.

The time kept on a device is a critical resource; you should use the security features of NTP to avoid theaccidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-basedrestriction scheme and an encrypted authentication mechanism.

Cisco?s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio oratomic clock. We recommend that the time service for your network be derived from the public NTP serversavailable on the IP Internet.

The Figure shows a typical network example using NTP. Device A is the primary NTP, with the Device B,C, and D configured in NTP server mode, in server association with Device A. Device E is configured as anNTP peer to the upstream and downstream device, Device B and Device F, respectively.


Administering the DeviceNetwork Time Protocol

Figure 1: Typical NTP Network Configuration

If the network is isolated from the Internet, Cisco?s implementation of NTP allows a device to act as if it issynchronized through NTP, when in fact it has learned the time by using other means. Other devices thensynchronize to that device through NTP.

When multiple sources of time are available, NTP is always considered to be more authoritative. NTP timeoverrides the time set by any other method.

Several manufacturers include NTP software for their host systems, and a publicly available version forsystems running UNIX and its various derivatives is also available. This software allows host systems to betime-synchronized as well.

NTP StratumNTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritativetime source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time serverreceives its time through NTP from a stratum 1 time server, and so on. A device running NTP automaticallychooses as its time source the device with the lowest stratum number with which it communicates throughNTP. This strategy effectively builds a self-organizing tree of NTP speakers.

NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a devicethat is not synchronized. NTP also compares the time reported by several devices and does not synchronizeto a device whose time is significantly different than the others, even if its stratum is lower.

NTP AssociationsThe communications between devices running NTP (known as associations) are usually statically configured;each device is given the IP address of all devices with which it should form associations. Accurate timekeepingis possible by exchanging NTP messages between each pair of devices with an association. However, in aLAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces


Administering the DeviceNTP Stratum

configuration complexity because each device can simply be configured to send or receive broadcast messages.However, in that case, information flow is one-way only.

Poll-Based NTP Associations

Networking devices running NTP can be configured to operate in variety of association modes whensynchronizing time with reference time sources. A networking device can obtain time information on a networkin twoways—by polling host servers and by listening to NTP broadcasts. This section focuses on the poll-basedassociation modes. Broadcast-based NTP associations are discussed in the Broadcast-Based NTP Associationssection.

The following are the two most commonly used poll-based association modes:

• Client mode

• Symmetric active mode

The client and the symmetric active modes should be used when NTP is required to provide a high level oftime accuracy and reliability.

When a networking device is operating in the client mode, it polls its assigned time-serving hosts for thecurrent time. The networking device will then pick a host from among all the polled time servers to synchronizewith. Because the relationship that is established in this case is a client-host relationship, the host will notcapture or use any time information sent by the local client device. This mode is most suited for file-serverand workstation clients that are not required to provide any form of time synchronization to other local clients.Use the ntp server command to individually specify the time server that you want your networking deviceto consider synchronizing with and to set your networking device to operate in the client mode.

When a networking device is operating in the symmetric active mode, it polls its assigned time-serving hostsfor the current time and it responds to polls by its hosts. Because this is a peer-to-peer relationship, the hostwill also retain time-related information of the local networking device that it is communicating with. Thismode should be used when a number of mutually redundant servers are interconnected via diverse networkpaths. Most stratum 1 and stratum 2 servers on the Internet adopt this form of network setup. Use the ntppeer command to individually specify the time serving hosts that you want your networking device to considersynchronizing with and to set your networking device to operate in the symmetric active mode.

The specific mode that you should set for each of your networking devices depends primarily on the role thatyou want them to assume as a timekeeping device (server or client) and the device’s proximity to a stratum1 timekeeping server.

A networking device engages in polling when it is operating as a client or a host in the client mode or whenit is acting as a peer in the symmetric active mode. Although polling does not usually place a burden onmemory and CPU resources such as bandwidth, an exceedingly large number of ongoing and simultaneouspolls on a system can seriously impact the performance of a system or slow the performance of a given network.To avoid having an excessive number of ongoing polls on a network, you should limit the number of direct,peer-to-peer or client-to-server associations. Instead, you should consider using NTP broadcasts to propagatetime information within a localized network.

Broadcast-Based NTP Associations

Broadcast-based NTP associations should be used when time accuracy and reliability requirements are modestand if your network is localized and has more than 20 clients. Broadcast-based NTP associations are alsorecommended for use on networks that have limited bandwidth, system memory, or CPU resources.


Administering the DevicePoll-Based NTP Associations

A networking device operating in the broadcast client mode does not engage in any polling. Instead, it listensfor NTP broadcast packets that are transmitted by broadcast time servers. Consequently, time accuracy canbe marginally reduced because time information flows only one way.

Use the ntp broadcast client command to set your networking device to listen for NTP broadcast packetspropagated through a network. For broadcast client mode to work, the broadcast server and its clients mustbe located on the same subnet. You must enable the time server that transmits NTP broadcast packets on theinterface of the given device by using the ntp broadcast command.

NTP SecurityThe time kept on a device is a critical resource; you should use the security features of NTP to avoid theaccidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-basedrestriction scheme and an encrypted authentication mechanism.

We do not recommend configuring Message Direct 5 (MD5) authentication. You can use other supportedauthentication methods for stronger encryption.

Note

NTP Access Group

The access list-based restriction scheme allows you to grant or deny certain access privileges to an entirenetwork, a subnet within a network, or a host within a subnet. To define an NTP access group, use the ntpaccess-group command in global configuration mode.

The access group options are scanned in the following order, from least restrictive to the most restrictive:

1. ipv4 —Configures IPv4 access lists.

2. ipv6 —Configures IPv6 access lists.

3. peer —Allows time requests and NTP control queries, and allows the system to synchronize itself to asystem whose address passes the access list criteria.

4. serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itselfto a system whose address passes the access list criteria.

5. serve-only —Allows only time requests from a system whose address passes the access list criteria.

6. query-only—Allows only NTP control queries from a systemwhose address passes the access list criteria.

If the source IP address matches the access lists for more than one access type, the first type is granted access.If no access groups are specified, all access types are granted access to all systems. If any access groups arespecified, only the specified access types will be granted access.

For details on NTP control queries, see RFC 1305.

The encrypted NTP authentication scheme should be used when a reliable form of access control is required.Unlike the access list-based restriction scheme that is based on IP addresses, the encrypted authenticationscheme uses authentication keys and an authentication process to determine if NTP synchronization packetssent by designated peers or servers on a local network are deemed as trusted before the time information thatthey carry along with them is accepted.

The authentication process begins from the moment an NTP packet is created. Cryptographic checksum keysare generated using the message digest algorithm 5 (MD5) and are embedded into the NTP synchronization


Administering the DeviceNTP Security

packet that is sent to a receiving client. Once a packet is received by a client, its cryptographic checksum keyis decrypted and checked against a list of trusted keys. If the packet contains a matching authentication key,the time-stamp information that is contained within the packet is accepted by the receiving client. NTPsynchronization packets that do not contain a matching authenticator key are ignored.

In large networks, where many trusted keys must be configured, the Range of Trusted Key Configurationfeature enables configuring multiple keys simultaneously.

Note

It is important to note that the encryption and decryption processes used in NTP authentication can be veryCPU-intensive and can seriously degrade the accuracy of the time that is propagated within a network. If yournetwork setup permits a more comprehensive model of access control, you should consider the use of theaccess list-based form of control.

After NTP authentication is properly configured, your networking device will synchronize with and providesynchronization only to trusted time sources.

NTP Services on a Specific InterfaceNetwork Time Protocol (NTP) services are disabled on all interfaces by default. NTP is enabled globallywhen any NTP commands are entered. You can selectively prevent NTP packets from being received througha specific interface by using the ntp disable command in interface configuration mode.

Source IP Address for NTP PacketsWhen the system sends an NTP packet, the source IP address is normally set to the address of the interfacethrough which the NTP packet is sent. Use the ntp source interface command in global configuration modeto configure a specific interface from which the IP source address will be taken.

This interface will be used for the source address for all packets sent to all destinations. If a source address isto be used for a specific association, use the source keyword in the ntp peer or ntp server command.

NTP ImplementationImplementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomicclock.We recommend that the time service for your network be derived from the public NTP servers availableon the IP Internet.Figure 2: Typical NTP Network Configuration

The following figure shows a typical network example using NTP. Switch A is the primary NTP, with theSwitch B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured


Administering the DeviceNTP Services on a Specific Interface

as an NTP peer to the upstream and downstream switches, Switch B and Switch F,

respectively.

If the network is isolated from the Internet, NTP allows a device to act as if it is synchronized through NTP,when in fact it has learned the time by using other means. Other devices then synchronize to that devicethrough NTP.

When multiple sources of time are available, NTP is always considered to be more authoritative. NTP timeoverrides the time set by any other method.

Several manufacturers include NTP software for their host systems, and a publicly available version forsystems running UNIX and its various derivatives is also available. This software allows host systems to betime-synchronized as well.

System Name and PromptYou configure the system name on the device to identify it. By default, the system name and prompt areSwitch.

If you have not configured a system prompt, the first 20 characters of the system name are used as the systemprompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes.

For complete syntax and usage information for the commands used in this section, see the Cisco IOSConfiguration Fundamentals Command Reference, Release 12.4 and the Cisco IOS IP Command Reference,Volume 2 of 3: Routing Protocols, Release 12.4.


Administering the DeviceSystem Name and Prompt

Stack System Name and PromptIf you are accessing a stack member through the active switch, you must use the session stack-member-numberprivileged EXEC command. The stack member number range is . When you use this command, the stackmember number is appended to the system prompt. For example, Switch-2# is the prompt in privileged EXECmode for stack member 2, and the system prompt for the switch stack is Switch.

Default System Name and Prompt ConfigurationThe default switch system name and prompt is Switch.

DNSThe DNS protocol controls the Domain Name System (DNS), a distributed database with which you can maphostnames to IP addresses. When you configure DNS on your device, you can substitute the hostname for theIP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.

IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domainnames are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is acommercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specificdevice in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.

To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identifythe hostnames, specify the name server that is present on your network, and enable the DNS.

Default DNS Settings

Table 1: Default DNS Settings

Default SettingFeature

Enabled.DNS enable state

None configured.DNS default domain name

No name server addresses are configured.DNS servers

Login BannersYou can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner is displayed on allconnected terminals at login and is useful for sendingmessages that affect all network users (such as impendingsystem shutdowns).

The login banner is also displayed on all connected terminals. It appears after the MOTD banner and beforethe login prompts.

For complete syntax and usage information for the commands used in this section, see the Cisco IOSConfiguration Fundamentals Command Reference, Release 12.4.

Note


Administering the DeviceStack System Name and Prompt

Default Banner ConfigurationThe MOTD and login banners are not configured.

MAC Address TableThe MAC address table contains address information that the device uses to forward traffic between ports.All MAC addresses in the address table are associated with one or more ports. The address table includesthese types of addresses:

• Dynamic address—A source MAC address that the device learns and then ages when it is not in use.

• Static address—Amanually entered unicast address that does not age and that is not lost when the deviceresets.

The address table lists the destination MAC address, the associated VLAN ID, and port number associatedwith the address and the type (static or dynamic).

For complete syntax and usage information for the commands used in this section, see the command referencefor this release.

Note

MAC Address Table CreationWith multiple MAC addresses supported on all ports, you can connect any port on the device to other networkdevices. The device provides dynamic addressing by learning the source address of packets it receives oneach port and adding the address and its associated port number to the address table. As devices are added orremoved from the network, the device updates the address table, adding new dynamic addresses and agingout those that are not in use.

The aging interval is globally configured. However, the device maintains an address table for each VLAN,and STP can accelerate the aging interval on a per-VLAN basis.

The device sends packets between any combination of ports, based on the destination address of the receivedpacket. Using the MAC address table, the device forwards the packet only to the port associated with thedestination address. If the destination address is on the port that sent the packet, the packet is filtered and notforwarded. The device always uses the store-and-forward method: complete packets are stored and checkedfor errors before transmission.

MAC Addresses and VLANsAll addresses are associated with a VLAN. An address can exist in more than one VLAN and have differentdestinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9,10, and 1 in VLAN 5.

Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in anotheruntil it is learned or statically associated with a port in the other VLAN.

MAC Addresses and Device StacksThe MAC address tables on all stack members are synchronized. At any given time, each stack member hasthe same copy of the address tables for each VLAN. When an address ages out, the address is removed from


Administering the DeviceDefault Banner Configuration

the address tables on all stack members. When a device joins a switch stack, that device receives the addressesfor each VLAN learned on the other stack members. When a stack member leaves the switch stack, theremaining stack members age out or remove all addresses learned by the former stack member.

Default MAC Address Table SettingsThe following table shows the default settings for the MAC address table.

Table 2: Default Settings for the MAC Address


300 secondsAging time

Automatically learnedDynamic addresses

None configuredStatic addresses

ARP Table ManagementTo communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MACaddress or the local data link address of that device. The process of learning the local data link address froman IP address is called address resolution.

The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MACaddresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address. When a MACaddress is found, the IP-MAC address association is stored in an ARP cache for rapid retrieval. Then the IPdatagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams andARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork AccessProtocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword)is enabled on the IP interface.

ARP entries added manually to the table do not age and must be manually removed.

For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com.

How to Administer the Device

Configuring the Time and Date ManuallySystem time remains accurate through restarts and reboot, however, you can manually configure the time anddate after the system is restarted.

We recommend that you use manual configuration only when necessary. If you have an outside source towhich the device can synchronize, you do not need to manually set the system clock.

You must reconfigure this setting if you have manually configured the system clock before the device failsand a different stack member assumes the role of the device.

Note


Administering the DeviceDefault MAC Address Table Settings

Setting the System ClockIf you have an outside source on the network that provides time services, such as an NTP server, you do notneed to manually set the system clock.

Follow these steps to set the system clock:

Procedure

PurposeCommand or Action

Enables privileged EXEC mode.enableStep 1

Example: • Enter your password if prompted.

Device> enable

Manually set the system clock using one ofthese formats:

Use one of the following:Step 2

• clock set hh:mm:ss day month year• hh:mm:ss—Specifies the time in hours(24-hour format), minutes, and seconds.

• clock set hh:mm:ss month day year

Example: The time specified is relative to theconfigured time zone.

Device# clock set 13:32:00 23 March 2013

• day—Specifies the day by date in themonth.

• month—Specifies the month by name.

• year—Specifies the year (no abbreviation).

Configuring the Time ZoneFollow these steps to manually configure the time zone:

Procedure




Device> enable

Enters global configuration mode.configure terminal

Example:

Step 2

Device# configure terminal


Administering the DeviceSetting the System Clock


Sets the time zone.clock timezone zone hours-offset[minutes-offset]

Step 3

Internal time is kept in Coordinated UniversalTime (UTC), so this command is used only forExample:display purposes and when the time is manuallyset.Device(config)# clock timezone AST -3 30

• zone—Enters the name of the time zone tobe displayed when standard time is ineffect. The default is UTC.

• hours-offset—Enters the hours offset fromUTC.

• (Optional) minutes-offset—Enters theminutes offset from UTC. This availablewhere the local time zone is a percentageof an hour different from UTC.

Returns to privileged EXEC mode.end

Example:

Step 4

Device(config)# end

Verifies your entries.show running-config

Example:

Step 5

Device# show running-config

(Optional) Saves your entries in theconfiguration file.

copy running-config startup-config

Example:

Step 6

Device# copy running-configstartup-config

Configuring Summer Time (Daylight Saving Time)To configure summer time (daylight saving time) in areas where it starts and ends on a particular day of theweek each year, perform this task:

Procedure





Administering the DeviceConfiguring Summer Time (Daylight Saving Time)


Device> enable


Example:

Step 2


Configures summer time to start and end onspecified days every year.

clock summer-time zone date date month yearhh:mm date month year hh:mm [offset]]

Step 3

Example:

Device(config)# clock summer-time PDTdate10 March 2013 2:00 3 November 2013 2:00

Configures summer time to start and end on thespecified days every year. All times are relative

clock summer-time zone recurring [week daymonth hh:mm week day month hh:mm [offset]]

Step 4

to the local time zone. The start time is relativeto standard time.Example:

Device(config)# clock summer-time The end time is relative to summer time.Summer time is disabled by default. If youPDT recurring 10 March 2013 2:00 3

November 2013 2:00 specify clock summer-time zone recurringwithout parameters, the summer time rulesdefault to the United States rules.

If the starting month is after the ending month,the system assumes that you are in the southernhemisphere.

• zone—Specifies the name of the time zone(for example, PDT) to be displayed whensummer time is in effect.

• (Optional) week— Specifies the week ofthe month (1 to 4, first, or last).

• (Optional) day—Specifies the day of theweek (Sunday, Monday...).

• (Optional) month—Specifies the month(January, February...).

• (Optional) hh:mm—Specifies the time(24-hour format) in hours and minutes.

• (Optional) offset—Specifies the number ofminutes to add during summer time. Thedefault is 60.


Administering the DeviceConfiguring Summer Time (Daylight Saving Time)



Example:

Step 5

Device(config)# end


Example:

Step 6




Example:

Step 7


Configuring NTPThe device does not have a hardware-supported clock and cannot function as an NTP primary clock to whichpeers synchronize themselves when an external NTP source is not available. The device also has no hardwaresupport for a calendar. As a result, the ntp update-calendar and the ntp master commands in globalconfiguration mode are not available.

These following sections provide configuration information on NTP:

Default NTP Configurationshows the default NTP configuration.

Table 3: Default NTP Configuration


Disabled. No authentication key is specified.NTP authentication

None configured.NTP peer or server associations

Disabled; no interface sends or receives NTPbroadcast packets.

NTP broadcast service

No access control is specified.NTP access restrictions

The source address is set by the outgoing interface.NTP packet source IP address

NTP is enabled on all interfaces by default. All interfaces receive NTP packets.


Administering the DeviceConfiguring NTP

Configuring NTP AuthenticationTo configure NTP authentication, perform this procedure:

Procedure



Example: Enter your password if prompted.

Device> enable


Example:

Step 2


Enables NTP authentication.[no] ntp authenticateStep 3

Example: Use the no form of this command to disableNTP authentication

Device(config)# ntp authenticate

Defines the authentication keys.[no] ntp authentication-key number {md5 |cmac-aes-128 | hmac-sha1 | hmac-sha2-256}value

Step 4

• Each key has a key number, a type, and avalue.

Example:• Keys can be one of the following types:

Device(config)# ntp authentication-key • md5: Authentication using the MD5algorithm.42 md5 aNiceKey

• cmac-aes-128: Authentication usingCipher-basedmessage authenticationcodes (CMAC) with the AES-128algorithm. The digest length is 128bits and the key length is 16 or 32bytes.

• hmac-sha1: Authentication usingHash-based Message AuthenticationCode (HMAC) using the SHA1 hashfunction. The digest length is 128 bitsand the key length is 1 to 32 bytes.

• hmac-sha2-256: Authentication usingHMAC using the SHA2 hashfunction. The digest length is 256 bitsand the key length is 1 to 32 bytes


Administering the DeviceConfiguring NTP Authentication


Use the no form of this command to removeauthentication key.

Defines trusted authentication keys that a peerNTP device must provide in its NTP packetsfor this device to synchronize to it.

[no] ntp trusted-key key-number

Example:

Device(config)# ntp trusted-key 42

Step 5

Use the no form of this command to disabletrusted authentication.

Allows the software clock to be synchronizedby an NTP time server.

[no] ntp server ip-address key key-id [prefer]

Example:

Step 6

• ip-address: The IP address of the timeserver providing the clock synchronization.Device(config)# ntp server 172.16.22.44

key 42• key-id: Authentication key defined withthe ntp authentication-key command.

• prefer: Sets this peer as the preferred onethat provides synchronization. Thiskeyword reduces clock hop among peers.

Use the no form of this command to remove aserver association.


Example:

Step 7

Device(config)# end

Configuring Poll-Based NTP AssociationsTo configure poll-based NTP associations, perform this procedure:

Procedure




Device> enable


Example:

Step 2



Administering the DeviceConfiguring Poll-Based NTP Associations


Configures the device system clock tosynchronize a peer or to be synchronized by apeer (peer association).

[no] ntp peer ip-address [version number] [keykey-id] [source interface] [prefer]

Example:

Step 3

• ip-address: The IP address of the peerproviding or being provided, the clocksynchronization.

Device(config)# ntp peer 172.16.22.44version 2

• number: NTP version number. The rangeis 1 to 4. By default, version 4 is selected.

• key-id: Authentication key defined withthe ntp authentication-key command.

• interface: The interface fromwhich to pickthe IP source address. By default, thesource IP address is taken from theoutgoing interface.

• prefer: Sets this peer as the preferred onethat provides synchronization. Thiskeyword reduces switching back and forthbetween peers.

Use the no form of this command to remove apeer association.

Configures the device's system clock to besynchronized by a time server (serverassociation).

[no] ntp server ip-address [version number][key key-id] [source interface] [prefer]

Example:

Step 4

• ip-address: The IP address of the timeserver providing the clock synchronization.Device(config)# ntp server 172.16.22.44

version 2• number: NTP version number. The rangeis 1 to 4. By default, version 4 is selected.

• key-id: Authentication key defined withthe ntp authentication-key command.

• interface: The interface fromwhich to pickthe IP source address. By default, thesource IP address is taken from theoutgoing interface.

• prefer: Sets this peer as the preferred onethat provides synchronization. Thiskeyword reduces clock hop among peers.

Use the no form of this command to remove aserver association.


Administering the DeviceConfiguring Poll-Based NTP Associations



Example:

Step 5

Device(config)# end

Configuring Broadcast-Based NTP AssociationsTo configure broadcast-based NTP associations, perform this procedure:

Procedure




Device> enable


Example:

Step 2


Configures an interface and enters interfaceconfiguration mode.

interface interface-id

Example:

Step 3

Device(config)# interfacegigabitethernet1/0/1

Enables the interface to send NTP broadcastpackets to a peer.

[no] ntp broadcast [version number] [keykey-id] [destination-address]

Step 4

Example: • number: NTP version number. The rangeis 1 to 4. By default, version 4 is used.

Device(config-if)# ntp broadcast version• key-id: Authentication key.2

• destination-address: IP address of the peerthat is synchronizing its clock to thisswitch.

Use the no form of this command to disable theinterface from sending NTP broadcast packets.

Enables the interface to receive NTP broadcastpackets.

[no] ntp broadcast client

Example:

Step 5


Administering the DeviceConfiguring Broadcast-Based NTP Associations


Use the no form of this command to disable theinterface from receivingNTP broadcast packets.Device(config-if)# ntp broadcast client

Returns to privileged EXEC mode.exit

Example:

Step 6

Device(config-if)# exit

(Optional) Change the estimated round-tripdelay between the device and theNTP broadcastserver

[no] ntp broadcastdelay microseconds

Example:

Device(config)# ntp broadcastdelay 100

Step 7

The default is 3000 microseconds. The rangeis from 1 to 999999.

Use the no form of this command to disable theinterface from receivingNTP broadcast packets.


Example:

Step 8

Device(config)# end

Configuring NTP Access RestrictionsYou can control NTP access on two levels as described in these sections:

Creating an Access Group and Assigning a Basic IP Access List

To create an access group and assign a basic IP access list, perform this procedure:

Procedure




Device> enable


Example:

Step 2


Create an access group, and apply a basic IPaccess list..

[no] ntp access-group {query-only |serve-only | serve | peer} access-list-number

Step 3


Administering the DeviceConfiguring NTP Access Restrictions


Example: • query-only: NTP control queries.

Device(config)# ntp access-group peer 99 • serve-only: Time requests.

• serve: Allows time requests and NTPcontrol queries, but does not allow thedevice to synchronize to the remote device.

• peer: Allows time requests and NTPcontrol queries and allows the device tosynchronize to the remote device.

• access-list-number: IP access list number.The range is from 1 to 99.

Use the no form of this command to removeaccess control to the switch NTP services.

Create the access list.access-list access-list-number permit source[source-wildcard]

Step 4

• access-list-number: IP access list number.The range is from 1 to 99.Example:

Device(config)# access-list 99 permit • permit: Permits access if the conditionsare matched.172.20.130.5

• source: IP address of the device that ispermitted access to the device.

• source-wildcard: Wildcard bits to beapplied to the source.

When creating an access list,remember that, by default, the endof the access list contains an implicitdeny statement for everything if itdid not find a match before reachingthe end.

Note

Use the no form of this command to removeauthentication key.


Example:

Step 5

Device(config)# end

Disabling NTP Services on a Specific Interface

To disable NTP packets from being received on an interface, perform this procedure:


Administering the DeviceDisabling NTP Services on a Specific Interface

Procedure




Device> enable


Example:

Step 2


Enters global configuration mode.interface interface-id

Example:

Step 3


Disables NTP packets from being received onthe interface.

[no] ntp disable

Example:

Step 4

Use the no form of this command to re-enablereceipt of NTP packets on an interface.Device(config-if)# ntp disable


Example:

Step 5

Device(config-if)# end

Configuring a System NameFollow these steps to manually configure a system name:

Procedure




Device> enable


Administering the DeviceConfiguring a System Name



Example:

Step 2


Configures a system name. When you set thesystem name, it is also used as the systemprompt.

hostname name

Example:

Device(config)# hostname

Step 3

The default setting is Switch.remote-users

The name must follow the rules for ARPANEThostnames. They must start with a letter, endwith a letter or digit, and have as interiorcharacters only letters, digits, and hyphens.Names can be up to 63 characters.

Returns to priviliged EXEC mode.end

Example:

Step 4

remote-users(config)#endremote-users#


Example:

Step 5




Example:

Step 6


Setting Up DNSIf you use the device IP address as its hostname, the IP address is used and no DNS query occurs. If youconfigure a hostname that contains no periods (.), a period followed by the default domain name is appendedto the hostname before the DNS query is made to map the name to an IP address. The default domain nameis the value set by the ip domain name command in global configuration mode. If there is a period (.) in thehostname, the Cisco IOS software looks up the IP address without appending any default domain name to thehostname.

Follow these steps to set up your switch to use the DNS:


Administering the DeviceSetting Up DNS

Procedure




Device> enable


Example:

Step 2


Defines a default domain name that the softwareuses to complete unqualified hostnames (nameswithout a dotted-decimal domain name).

ip domain name name

Example:

Device(config)# ip domain name Cisco.com

Step 3

Do not include the initial period that separatesan unqualified name from the domain name.

At boot time, no domain name is configured;however, if the device configuration comesfrom a BOOTP or Dynamic Host ConfigurationProtocol (DHCP) server, then the defaultdomain name might be set by the BOOTP orDHCP server (if the servers were configuredwith this information).

Specifies the address of one or more nameservers to use for name and address resolution.

ip name-server server-address1[server-address2 ... server-address6]

Step 4

Example: You can specify up to six name servers.Separate each server address with a space. The

Device(config)# ip first server specified is the primary server. Thename-server 192.168.1.100 device sends DNS queries to the primary server192.168.1.200 192.168.1.300 first. If that query fails, the backup servers are

queried.

(Optional) Enables DNS-basedhostname-to-address translation on your device.This feature is enabled by default.

ip domain lookup [nsap | source-interfaceinterface]

Example:

Step 5

If your network devices require connectivitywith devices in networks for which you do notDevice(config)# ip domain-lookup

control name assignment, you can dynamicallyassign device names that uniquely identify yourdevices by using the global Internet namingscheme (DNS).


Example:

Step 6


Administering the DeviceSetting Up DNS


Device(config)# end


Example:

Step 7




Example:

Step 8


Configuring a Message-of-the-Day Login BannerYou can create a single or multiline message banner that appears on the screen when someone logs in to thedevice.

Follow these steps to configure a MOTD login banner:

Procedure




Device> enable


Example:

Step 2


Specifies the message of the day.banner motd c message cStep 3

Example: c—Enters the delimiting character of yourchoice, for example, a pound sign (#), and press

Device(config)# banner motd # the Return key. The delimiting characterThis is a secure site. Only signifies the beginning and end of the bannerauthorized users are allowed. text. Characters after the ending delimiter are

discarded.For access, contact technicalsupport.#


Administering the DeviceConfiguring a Message-of-the-Day Login Banner


message—Enters a banner message up to 255characters. You cannot use the delimitingcharacter in the message.


Example:

Step 4

Device(config)# end


Example:

Step 5




Example:

Step 6


Configuring a Login BannerYou can configure a login banner to be displayed on all connected terminals. This banner appears after theMOTD banner and before the login prompt.

Follow these steps to configure a login banner:

Procedure




Device> enable


Example:

Step 2


Specifies the login message.banner login c message cStep 3

Example: c— Enters the delimiting character of yourchoice, for example, a pound sign (#), and press


Administering the DeviceConfiguring a Login Banner


Device(config)# banner login $the Return key. The delimiting charactersignifies the beginning and end of the banner

Access for authorized users only. text. Characters after the ending delimiter arediscarded.

Please enter your username andpassword.$

message—Enters a login message up to 255characters. You cannot use the delimitingcharacter in the message.


Example:

Step 4

Device(config)# end


Example:

Step 5




Example:

Step 6


Managing the MAC Address Table

Changing the Address Aging TimeFollow these steps to configure the dynamic address table aging time:

Procedure




Device> enable


Example:

Step 2



Administering the DeviceManaging the MAC Address Table


Sets the length of time that a dynamic entryremains in theMAC address table after the entryis used or updated.

mac address-table aging-time [0 |10-1000000] [routed-mac | vlan vlan-id]

Example:

Step 3

The range is 10 to 1000000 seconds. The defaultis 300. You can also enter 0, which disablesDevice(config)# mac address-table

aging-time 500 vlan 2 aging. Static address entries are never aged orremoved from the table.

vlan-id—Valid IDs are 1 to 4094.


Example:

Step 4

Device(config)# end


Example:

Step 5




Example:

Step 6


Configuring MAC Address Change Notification TrapsFollow these steps to configure the switch to send MAC address change notification traps to an NMS host:

Procedure




Device> enable


Example:

Step 2



Administering the DeviceConfiguring MAC Address Change Notification Traps


Specifies the recipient of the trap message.snmp-server host host-addr community-stringnotification-type { informs | traps } {version{1 | 2c | 3}} {vrf vrf instance name}

Step 3

• host-addr—Specifies the name or addressof the NMS.

Example:• traps (the default)—Sends SNMP trapsto the host.Device(config)# snmp-server host

172.20.10.10 traps privatemac-notification

• informs—Sends SNMP informs to thehost.

• version—Specifies the SNMP version tosupport. Version 1, the default, is notavailable with informs.

• community-string—Specifies the stringto send with the notification operation.Though you can set this string by usingthe snmp-server host command, werecommend that you define this string byusing the snmp-server communitycommand before using the snmp-serverhost command.

• notification-type—Uses themac-notification keyword.

• vrf vrf instance name—Specifies theVPNrouting/forwarding instance for this host.

Enables the device to send MAC addresschange notification traps to the NMS.

snmp-server enable traps mac-notificationchange

Example:

Step 4

Device(config)# snmp-server enable traps

mac-notification change

Enables the MAC address change notificationfeature.

mac address-table notification change

Example:

Step 5

Device(config)# mac address-tablenotification change

Enters the trap interval time and the historytable size.

mac address-table notification change[interval value] [history-size value]

Step 6

Example: • (Optional) interval value—Specifies thenotification trap interval in seconds

Device(config)# mac address-table between each set of traps that arenotification change interval 123 generated to the NMS. The range is 0 toDevice(config)#mac address-table


Administering the DeviceConfiguring MAC Address Change Notification Traps

PurposeCommand or Actionnotification change history-size 100 2147483647 seconds; the default is 1

second.

• (Optional) history-size value—Specifiesthe maximum number of entries in theMAC notification history table. The rangeis 0 to 500; the default is 1.

Enters interface configuration mode, andspecifies the Layer 2 interface on which to


Example:

Step 7

enable the SNMP MAC address notificationtrap.


Enables the MAC address change notificationtrap on the interface.

snmp trap mac-notification change {added| removed}

Step 8

Example: • Enables the trap when a MAC address isadded on this interface.

Device(config-if)# snmp trapmac-notification change added • Enables the trap when a MAC address is

removed from this interface.


Example:

Step 9

Device(config)# end


Example:

Step 10




Example:

Step 11


Configuring MAC Address Move Notification TrapsWhen you configure MAC-move notification, an SNMP notification is generated and sent to the networkmanagement system whenever a MAC address moves from one port to another within the same VLAN.

Follow these steps to configure the device to send MAC address-move notification traps to an NMS host:


Administering the DeviceConfiguring MAC Address Move Notification Traps

Procedure




Device> enable


Example:

Step 2


Specifies the recipient of the trap message.snmp-server host host-addr {traps | informs}{version {1 | 2c | 3}} community-stringnotification-type

Step 3


Example:• traps (the default)—Sends SNMP traps tothe host.Device(config)# snmp-server host

172.20.10.10 traps private • informs—Sends SNMP informs to thehost.

mac-notification


• community-string—Specifies the string tosend with the notification operation.Though you can set this string by usingthe snmp-server host command, werecommend that you define this string byusing the snmp-server communitycommand before using the snmp-serverhost command.


Enables the device to send MAC address movenotification traps to the NMS.

snmp-server enable traps mac-notificationmove

Example:

Step 4


mac-notification move

Enables the MAC address move notificationfeature.

mac address-table notification mac-move

Example:

Step 5


Administering the DeviceConfiguring MAC Address Move Notification Traps


Device(config)# mac address-tablenotification mac-move


Example:

Step 6

Device(config)# end


Example:

Step 7




Example:

Step 8


What to do next

To disable MAC address-move notification traps, use the no snmp-server enable traps mac-notificationmove global configuration command. To disable the MAC address-move notification feature, use the no macaddress-table notification mac-move global configuration command.

You can verify your settings by entering the show mac address-table notification mac-move privilegedEXEC commands.

Configuring MAC Threshold Notification TrapsWhen you configure MAC threshold notification, an SNMP notification is generated and sent to the networkmanagement system when a MAC address table threshold limit is reached or exceeded.

Follow these steps to configure the switch to send MAC address table threshold notification traps to an NMShost:

Procedure




Device> enable


Administering the DeviceConfiguring MAC Threshold Notification Traps



Example:

Step 2


Specifies the recipient of the trap message.snmp-server host host-addr {traps | informs}{version {1 | 2c | 3}} community-stringnotification-type

Step 3


Example:• traps (the default)—Sends SNMP traps tothe host.Device(config)# snmp-server host

172.20.10.10 traps private • informs—Sends SNMP informs to thehost.

mac-notification


• community-string—Specifies the string tosend with the notification operation. Youcan set this string by using thesnmp-server host command, but werecommend that you define this string byusing the snmp-server communitycommand before using the snmp-serverhost command.


Enables MAC threshold notification traps tothe NMS.

snmp-server enable traps mac-notificationthreshold

Example:

Step 4


mac-notification threshold

Enables theMAC address threshold notificationfeature.

mac address-table notification threshold

Example:

Step 5

Device(config)# mac address-tablenotification threshold

Enters the threshold value for theMAC addressthreshold usage monitoring.

mac address-table notification threshold[limit percentage] | [interval time]

Step 6


Administering the DeviceConfiguring MAC Threshold Notification Traps


Example: • (Optional) limit percentage—Specifies thepercentage of the MAC address table use;

Device(config)# mac address-table valid values are from 1 to 100 percent. Thedefault is 50 percent.notification threshold interval 123

Device(config)# mac address-tablenotification threshold limit 78 • (Optional) interval time—Specifies the

time between notifications; valid valuesare greater than or equal to 120 seconds.The default is 120 seconds.


Example:

Step 7

Device(config)# end


Example:

Step 8




Example:

Step 9


Disabling MAC Address Learning on VLANThis feature is supported on Cisco Catalyst 9500 High Performance Series Switches.

You can control MAC address learning on a VLAN to manage the available MAC address table space bycontrolling which VLANs can learn MAC addresses. Before you disable MAC address learning, be sure thatyou are familiar with the network topology. Disabling MAC address learning on VLAN could cause floodingin the network.

Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN:

Before you begin

Follow these guidelines when disabling MAC address learning on a VLAN:

• Use caution before disablingMAC address learning on a VLANwith a configured switch virtual interface(SVI). The switch then floods all IP packets in the Layer 2 domain.

• You can disable MAC address learning on a single VLAN ID from 2 - 4093 (for example, no macaddress-table learning vlan 223) or a range of VLAN IDs, separated by a hyphen or comma (for example,no mac address-table learning vlan 1-10, 15).


Administering the DeviceDisabling MAC Address Learning on VLAN

• It is recommended that you disable MAC address learning only in VLANs with two ports. If you disableMAC address learning on a VLANwith more than two ports, every packet entering the switch is floodedin that VLAN domain.

• If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning isnot disabled on that port.

Procedure


Enters the global configuration mode.configure terminal

Example:

Step 1


Disable MAC address learning on a specifiedVLAN or VLANs.

no mac-address-table learning vlan[vlan-id|,vlan-id | -vlan-id,]

Step 2

Example: You can specify a single VLAN ID or a rangeof VLAN IDs separated by a hyphen or comma.Device(config)# no mac-address-table

learning {vlan vlan-id [,vlan-id |-vlan-id]

Valid VLAN IDs range from 2 - 4093. It cannotbe an internal VLAN.


Example:

Step 3

Device(config)# end

Verify the configuration.show mac-address-table learning vlan[vlan-id]

Step 4

You can display the MAC address learningstatus of all VLANs or a specified VLAN byExample:entering the show mac-address-table learning[vlan vlan-id] privileged EXEC command.

Device# show mac-address-table learning[vlan vlan-id]

(Optional) Save your entries in the configurationfile.


Example:

Step 5


(Optional) Reenable MAC address learning onVLAN in a global configuration mode.

default mac address-table learning

Example:

Step 6

Device# default mac address-table

Adding and Removing Static Address EntriesFollow these steps to add a static address:


Administering the DeviceAdding and Removing Static Address Entries

Procedure




Device> enable


Example:

Step 2


Adds a static address to theMAC address table.mac address-table static mac-addr vlanvlan-id interface interface-id

Step 3

• mac-addr—Specifies the destinationMACunicast address to add to the address table.Example:Packets with this destination address

Device(config)# mac address-table received in the specified VLAN areforwarded to the specified interface.static c2f3.220a.12f4 vlan 4 interface

gigabitethernet 1/0/1• vlan-id—Specifies the VLAN for whichthe packet with the specifiedMAC addressis received. Valid VLAN IDs are 1 to4094.

• interface-id—Specifies the interface towhich the received packet is forwarded.Valid interfaces include physical ports orport channels. For static multicastaddresses, you can enter multiple interfaceIDs. For static unicast addresses, you canenter only one interface at a time, but youcan enter the commandmultiple times withthe same MAC address and VLAN ID.


Example:

Step 4




Example:

Step 5



Administering the DeviceAdding and Removing Static Address Entries

Configuring Unicast MAC Address FilteringFollow these steps to configure the device to drop a source or destination unicast static address:

Procedure



Example: • Enter your password if prompted.Device> enable


Example:

Step 2


Enables unicast MAC address filtering andconfigure the device to drop a packet with the

mac address-table static mac-addr vlanvlan-id drop

Step 3

specified source or destination unicast staticaddress.Example:

Device(config)# mac address-table staticc2f3.220a.12f4 vlan 4 drop • mac-addr—Specifies a source or

destination unicast MAC address (48-bit).Packets with this MAC address aredropped.

• vlan-id—Specifies the VLAN for whichthe packet with the specifiedMAC addressis received. Valid VLAN IDs are 1 to4094.


Example:

Step 4

Device(config)# end


Example:

Step 5




Example:

Step 6


Monitoring and Maintaining Administration of the DevicePurposeCommand

Removes all dynamic entries.clear mac address-table dynamic


Administering the DeviceConfiguring Unicast MAC Address Filtering

PurposeCommand

Removes a specific MAC address.clear mac address-table dynamic addressmac-address

Removes all addresses on the specified physical portor port channel.

clear mac address-table dynamic interfaceinterface-id

Removes all addresses on a specified VLAN.clear mac address-table dynamic vlan vlan-id

Displays the time and date configuration.show clock [detail]

Displays the Layer 2 multicast entries for all VLANsor the specified VLAN.

show ip igmp snooping groups

Displays MAC address table information for thespecified MAC address.

show mac address-table address mac-address

Displays the aging time in all VLANs or the specifiedVLAN.

show mac address-table aging-time

Displays the number of addresses present in allVLANs or the specified VLAN.

show mac address-table count

Displays only dynamic MAC address table entries.show mac address-table dynamic

Displays the MAC address table information for thespecified interface.

show mac address-table interface interface-name

Displays the MAC address table move updateinformation.

show mac address-table move update

Displays a list of multicast MAC addresses.show mac address-table multicast

Displays theMAC notification parameters and historytable.

show mac address-table notification {change |mac-move | threshold}

Displays the secure MAC addresses.show mac address-table secure

Displays only static MAC address table entries.show mac address-table static

Displays the MAC address table information for thespecified VLAN.

show mac address-table vlan vlan-id

Configuration Examples for Device Administration

Example: Setting the System Clock

This example shows how to manually set the system clock:

Device# clock set 13:32:00 23 July 2013


Administering the DeviceConfiguration Examples for Device Administration

Examples: Configuring Summer TimeThis example (for daylight savings time) shows how to specify that summer time starts on March 10 at 02:00and ends on November 3 at 02:00:

Device(config)# clock summer-time PDT recurring PST date10 March 2013 2:00 3 November 2013 2:00

This example shows how to set summer time start and end dates:

Device(config)#clock summer-time PST date20 March 2013 2:00 20 November 2013 2:00

Example: Configuring a MOTD Banner

This example shows how to configure a MOTD banner by using the pound sign (#) symbol as the beginningand ending delimiter:

Device(config)# banner motd #

This is a secure site. Only authorized users are allowed.For access, contact technical support.

#

Device(config)#

This example shows the banner that appears from the previous configuration:

Unix> telnet 192.0.2.15

Trying 192.0.2.15...

Connected to 192.0.2.15.

Escape character is '^]'.

This is a secure site. Only authorized users are allowed.

For access, contact technical support.

User Access Verification

Password:

Example: Configuring a Login BannerThis example shows how to configure a login banner by using the dollar sign ($) symbol as the beginningand ending delimiter:

Device(config)# banner login $


Administering the DeviceExamples: Configuring Summer Time

Access for authorized users only. Please enter your username and password.

$

Device(config)#

Example: Configuring MAC Address Change Notification TrapsThis example shows how to specify 172.20.10.10 as the NMS, enable MAC address notification traps to theNMS, enable the MAC address-change notification feature, set the interval time to 123 seconds, set thehistory-size to 100 entries, and enable traps whenever a MAC address is added on the specified port:

Device(config)# snmp-server host 172.20.10.10 traps private mac-notificationDevice(config)# snmp-server enable traps mac-notification changeDevice(config)# mac address-table notification changeDevice(config)# mac address-table notification change interval 123Device(config)# mac address-table notification change history-size 100Device(config)# interface gigabitethernet1/2/1Device(config-if)# snmp trap mac-notification change added

Example: Configuring MAC Threshold Notification Traps

This example shows how to specify 172.20.10.10 as the NMS, enable the MAC address threshold notificationfeature, set the interval time to 123 seconds, and set the limit to 78 per cent:

Device(config)# snmp-server host 172.20.10.10 traps private mac-notificationDevice(config)# snmp-server enable traps mac-notification thresholdDevice(config)# mac address-table notification thresholdDevice(config)# mac address-table notification threshold interval 123Device(config)# mac address-table notification threshold limit 78

Example: Adding the Static Address to the MAC Address TableThis example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packetis received in VLAN 4with thisMAC address as its destination address, the packet is forwarded to the specifiedport:

You cannot associate the same static MAC address to multiple interfaces. If the command is executed againwith a different interface, the static MAC address is overwritten on the new interface.

Note

Device(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet1/1/1


Administering the DeviceExample: Configuring MAC Address Change Notification Traps

Example: Configuring Unicast MAC Address FilteringThis example shows how to enable unicast MAC address filtering and how to configure drop packets thathave a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MACaddress as its source or destination, the packet is dropped:

Device(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop

Additional References for Device AdministrationRelated Documents

Document TitleRelated Topic

Command Reference (Catalyst 9500 SeriesSwitches)

For complete syntax and usage information for thecommands used in this chapter.

Feature History for Device AdministrationThis table provides release and related information for features explained in this module.

These features are available on all releases subsequent to the one they were introduced in, unless notedotherwise.

Feature InformationFeatureRelease

The device administration allows to configure thesystem time and date, system name, a login banner,and set up the DNS.

Support for this feature was introduced only on theC9500-12Q, C9500-16X, C9500-24Q, C9500-40Xmodels of the Cisco Catalyst 9500 Series Switches.

Device AdministrationCisco IOSXEEverest 16.5.1a

Support for this feature was introduced only on theC9500-32C, C9500-32QC, C9500-48Y4C, andC9500-24Y4C models of the Cisco Catalyst 9500Series Switches.

Device AdministrationCisco IOS XE Fuji 16.8.1a

Use Cisco Feature Navigator to find information about platform and software image support. To access CiscoFeature Navigator, go to http://www.cisco.com/go/cfn.


Administering the DeviceExample: Configuring Unicast MAC Address Filtering

http://www.cisco.com/go/cfn

C H A P T E R 2Boot Integrity Visibility

• Information About Boot Integrity Visibility, on page 41• Verifying the Software Image and Hardware, on page 41• Verifying Platform Identity and Software Integrity, on page 42• Additional References for Boot Integrity Visibility, on page 45• Feature History for Boot Integrity Visibility, on page 45

Information About Boot Integrity VisibilityBoot Integrity Visibility allows Cisco's platform identity and software integrity information to be visible andactionable. Platform identity provides the platform’s manufacturing installed identity. Software integrityexposes boot integrity measurements that can be used to assess whether the platform has booted trusted code.

During the boot process, the software creates a checksum record of each stage of the bootloader activities.

You can retrieve this record and compare it with a Cisco-certified record to verify if your software image isgenuine. If the checksum values do not match, you may be running a software image that is either not certifiedby Cisco or has been altered by an unauthorized party.

Verifying the Software Image and HardwareThis task describes how to retrieve the checksum record that was created during a switch bootup. Enter thefollowing commands in privileged EXEC mode.

On executing the following commands, youmight see themessage% Please Try After Few Seconds displayedon the CLI. This does not indicate a CLI failure, but indicates setting up of underlying infrastructure requiredto get the required output. We recommend waiting for a few minutes and then try the command again.

Note

The messages % Error retrieving SUDI certificate and % Error retrieving integrity data signify a realCLI failure.


Procedure


Displays checksum record for the specificSUDI.

show platform sudi certificate [sign [noncenonce]]

Step 1

Example: • (Optional) sign - Show signature

Device# show platform sudi certificate• (Optional) nonce - Enter a nonce value

sign nonce 123

Displays checksum record for boot stages.show platform integrity [sign [noncenonce]]

Step 2

• (Optional) sign - Show signatureExample:

• (Optional) nonce - Enter a nonce value

Device# show platform integrity signnonce 123

Verifying Platform Identity and Software IntegrityVerifying Platform Identity

The following example displays the Secure Unique Device Identity (SUDI) chain in PEM format. Encodedinto the SUDI is the Product ID and Serial Number of each individual device such that the device can beuniquely identified on a network of thousands of devices. The first certificate is the Cisco Root CA 2048 andthe second is the Cisco subordinate CA (ACT2 SUDI CA). Both certificates can be verified to match thosepublished on https://www.cisco.com/security/pki/. The third is the SUDI certificate.Device# show platform sudi certificate sign nonce 123-----BEGIN CERTIFICATE-----MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhHxmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJFcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9qVvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdHjWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9lEg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgEDo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PIFR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmWYqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuXcB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8laszBvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lIdkxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIEPDCCAySgAwIBAgIKYQlufQAAAAAADDANBgkqhkiG9w0BAQUFADA1MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwHhcNMTEwNjMwMTc1NjU3WhcNMjkwNTE0MjAyNTQyWjAnMQ4wDAYDVQQKEwVDaXNj


Boot Integrity VisibilityVerifying Platform Identity and Software Integrity

https://www.cisco.com/security/pki/

bzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0m5l3THIxA9tN/hS5qR/6UZRpdd+9aE2JbFkNjht6gfHKd477AkS5XAtUs5oxDYVt/zEbslZq3+LR6qrqKKQVu6JYvH05UYLBqCj38s76NLk53905Wzp9pRcmRCPuX+a6tHF/qRuOiJ44mdeDYZo3qPCpxzprWJDPclM4iYKHumMQMqmgmg+xghHIooWS80BOcdiynEbeP5rZ7qRuewKMpl1TiI3WdBNjZjnpfjg66F+P4SaDkGbBXdGj13oVeF+EyFWLrFjj97fL2+8oauV43Qrvnf3d/GfqXj7ew+z/sXlXtEOjSXJURsyMEj53Rdd9tJwHky8neapszS+r+kdVQIDAQABo4IBWjCCAVYwCwYDVR0PBAQDAgHGMB0GA1UdDgQWBBRI2PHxwnDVW7t8cwmTr7i4MAP4fzAfBgNVHSMEGDAWgBQn88gVHm6aAgkWrSugiWBf2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3LmNpc2NvLmNvbS9zZWN1cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEFBQcBAQREMEIwQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9jZXJ0cy9jcmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkVAQwAMEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy9pbmRleC5odG1sMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADggEBAGh1qclr9tx4hzWgDERm371yeuEmqcIfi9b9+GbMSJbiZHc/CcCl0lJu0a9zTXA9w47H9/t6leduGxb4WeLxcwCiUgvFtCa51Iklt8nNbcKY/4dw1ex+7amATUQO4QggIE67wVIPu6bgAE3Ja/nRS3xKYSnj8H5TehimBSv6TECii5jUhOWryAK4dVo8hCjkjEkzu3ufBTJapnv89g9OE+H3VKM4L+/KdkUO+52djFKnhyl47d7cZR4DY4LIuFM2P1As8YyjzoNpK/urSRI14WdIlplR1nH7KNDl5618yfVP0IFJZBGrooCRBjOSwFv8cpWCbmWdPaCQT2nwIjTfY8c=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDdTCCAl2gAwIBAgIEAUOdPjANBgkqhkiG9w0BAQsFADAnMQ4wDAYDVQQKEwVDaXNjbzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMB4XDTE3MDExMDE2NDUyOVoXDTI3MDExMDE2NDUyOVowYTEjMCEGA1UEBRMaUElEOldTLVhTVVAgU046SkFFMjA1MDA3MzAxDjAMBgNVBAoTBUNpc2NvMRgwFgYDVQQLEw9BQ1QtMiBMaXRlIFNVREkxEDAOBgNVBAMTB1dTLVhTVVAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHgbjvf7kfaYRtHwlCoLWS0Cb/eXXJlxZ1ardp4EwXq0QaGHbEs8B4oMPdZkpOb/e4TGY4f9qMrr9wDXikDh0hwl0CUf2Towm20lRILHkfotD1k9joWH+0oQKkU/rTQ/6ntMOe1SRNFaLOlPC9msNTSX4Gtdud+u9YQMN56lSG/w0D2ywbo9f08T+cAb3xUqkxBDHcApdBWXNGdRWFJRaoSFoSUD8U7/hJxmThYOZz5Mkm8d2cuF2qgVTvvsx94rIAdXH6881L85EkdG0rMrOCxtblytdo4MfEDwIxGG0+Dx/HAbuo8Gr/tYvzanPos8pzdgCW0/LX85uB8WxR8HfjAgMBAAGjbzBtMA4GA1UdDwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAME0GA1UdEQRGMESgQgYJKwYBBAEJFQIDoDUTM0NoaXBJRD1VWUpOVTFjeUNRR2NWSFZsSUU5amRDQXlOeUF4T0RveE1Ub3hPU0FVVVhNPTANBgkqhkiG9w0BAQsFAAOCAQEAu6FDk+dlubG6g+WyhKHHhuwu3U873Oieh0QfODYe7Ew5RmA2b8BEo5vD7TDjUGOXgKEkw7laNfrSQIPVQhasnGGseLMC1podxiq8Zw77js9C1rUlxLIzvMqmChSmyhR1G41tHkpzrsD8dFJohg+AwBQwLmyplmYidW9hojiwOVp+3CV2674IWAQDi7rbqdhMHQz+LKbsnjseb1/6gkFSH3UEVGcOHEihE6uEEH2V3ZOjfPKzwQHyn39DnxwNSgRIilFQMia11+i6CmkC4uyHRDYm7tDxxeDqxdALSHefFwPgrIuuQSj0UdQ5vdQXm0ao7DCw5dv0mCA9stGQUS1MWw==-----END CERTIFICATE-----

Signature version: 1Signature:49FA6BDC5CCD77C12F0E3EDD21D08AFA893AF8B5992365BC7AFF39CE5FD9ADE23DFFF29F50B9200C6D6DAC3A4E4ABD1605F39305663B93B56CB1CB46D78014F58CB46CFDF578F051533859EE91B8A5FAD4763ADE57B1A2ED2304A35AAEDF6B62967FBF4E7EA5A5A64085D9CC2FEFC0210BA5E97CD651625BDF5711F1D5C5571B9E5DD6EAF31C9FCB428F61B562885723F55179D7813500C93DDD5D98E5E39D4061A466067E04FFC050EDFE5F1836AE258C60C482D9452D6FC175C1354384F503FBB74DED3AFF80D580CE23F88FEFCFD565B116B85A60FBA6A8EDC3FE5AE2271D1D47085B3BDBA2F29C3935220B1A4B241B7C59EBBD8BA4E3DFEF174082EC072D

The optional RSA 2048 signature is across the three certificates, the signature version and theuser-provided nonce.RSA PKCS#1v1.5 Sign {<Nonce (UINT64)> || <Signature Version (UINT32)> || <Cisco Root CA2048 cert (DER)> ||<Cisco subordinate CA (DER)> || <SUDI certificate (DER)> }

Cisco management solutions are equipped with the ability to interpret the above output. However,a simple script using OpenSSL commands can also be used to display the identity of the platformand to verify the signature, thereby ensuring its Cisco unique device identity.[linux-host:~]openssl x509 -in sudicert.pem -subject -nooutsubject= /serialNumber=PID:WS-XC7R SN:FDO1946BG05/O=Cisco/OU=ACT-2 Lite SUDI/CN=WS-XC7R



Verifying Software Integrity

The following example displays the checksum record for the boot stages. The hashmeasurements are displayedfor each of the three stages of software successively booted. These hashes can be compared againstCisco-provided reference values. An option to sign the output gives a verifier the ability to ensure the outputis genuine and is not altered. A nonce can be provided to protect against replay attacks.

Boot integrity hashes are notMD5 hashes. For example, if you run verify /md5 cat9k_iosxe.16.10.01.SPA.bincommand for the bundle file, the hash will not match.

Note

The following is a sample output of the show platform integrity sign nonce 123 command in install mode.This output includes measurements of each installed package file.Device# show platform integrity sign nonce 123Platform: WS-XC7RBoot 0 Version: MA1004R06.1604052017Boot 0 Hash: A99EF9F31CE3F3F8533055407F1C88C62176E667E4E1DA0649EAA7A1282F205E0ABoot Loader Version: System Bootstrap, Version 16.8.0.7, DEVELOPMENT SOFTWAREBoot Loader Hash:942C2511D0EB10C8F5EC8B3ED529A5F2D210C4154434C6A591BF5553B06CBBE2039DADDD949C05722CABBB1429C41737CFC2C593A814FC87F6FBA0E9A0ADB09BOS Version: 16.10.01OS Hashes:cat9k-cc_srdriver.16.10.01.SPA.pkg :D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0cat9k-espbase.16.10.01.SPA.pkg :3EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEF43cat9k-guestshell.16.10.01.SPA.pkg :B0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03Ecat9k-rpbase.16.10.01.SPA.pkg :4057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C6cat9k-rpboot.16.10.01.SPA.pkg :AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057cat9k-sipbase.16.10.01.SPA.pkg :9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6Acat9k-sipspa.16.10.01.SPA.pkg :E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673cat9k-srdriver.16.10.01.SPA.pkg :4FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E211cat9k-webui.16.10.01.SPA.pkg :CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7cat9k-wlc.16.10.01.SPA.pkg :AA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7CCCAPCR0: A32CFED4F960494BC1311F7A31B52D5DE90FF501932670CD43AE6DBAD8735052PCR8: D2F8474CD82072464C11D7F7A3D5C37D078A8AA832D94B1B12E01BF400E0BBB4Signature version: 1Signature:4AB353BFAA7355B5CFEA4095822B540CED05775CB76EC3C419B5F6A3F15CC284415E4CB94D3A3FB5E150041C071A7CE17442AB8B112975931D37710A534288E794E552FD2B37FF49046AF9FEC340C26D6BE1B80FF9F42E47B8F12439A7C290BD3D454449B5D65F17066CCB8E0C4D8AB0FAEE034D27E546671177A4CBC9B4669ED218C879A3AA972D00C86549B2041C988D994756DB90EB6F2528721C096B60CF7D26087B87192D13904DF33236A9A4A6347F804302B0B96EC3421892CA16DBBDDFF75C1EA4FD2043168DD2C16A640D23663EAF65BB3E611ADF9A728C4F8229466900FB7D2C386F061B874E53B821C9668628277DA7372545076B1B0B9440B767

The following is a sample output of the show platform integrity sign nonce 123 command in bundle mode.This output includes measurements of the bundle file and each installed package.Device# show platform integrity sign nonce 123Platform: WS-XC7RBoot 0 Version: MA1004R06.1604052017Boot 0 Hash: A99EF9F31CE3F3F8533055407F1C88C62176E667E4E1DA0649EAA7A1282F205E0ABoot Loader Version: System Bootstrap, Version 16.8.0.7, DEVELOPMENT SOFTWAREBoot Loader Hash:942C2511D0EB10C8F5EC8B3ED529A5F2D210C4154434C6A591BF5553B06CBBE2039DADDD949C05722CABBB1429C41737CFC2C593A814FC87F6FBA0E9A0ADB09BOS Version: 16.10.01



OS Hashes:cat9k_iosxe.16.10.01.SPA.bin :F4CAD08BE1EF841C3A2E3ED8540829F08F3CBA9336F38E45669D4D8B15AD15E365B922AC8B4DC0D5B63E2806D6A1BDAB7839DD9DC8CD7E366A49ED648C113440cat9k-cc_srdriver.16.10.01.SPA.pkg :D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0cat9k-espbase.16.10.01.SPA.pkg :3EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEF43cat9k-guestshell.16.10.01.SPA.pkg :B0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03Ecat9k-rpbase.16.10.01.SPA.pkg :4057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C6cat9k-rpboot.16.10.01.SPA.pkg :AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057cat9k-sipbase.16.10.01.SPA.pkg :9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6Acat9k-sipspa.16.10.01.SPA.pkg :E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673cat9k-srdriver.16.10.01.SPA.pkg :4FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E211cat9k-webui.16.10.01.SPA.pkg :CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7cat9k-wlc.16.10.01.SPA.pkg :AA7ED0AE935CB0BD84E0D0D155C1DEFDB03EB0C64057AD6A9673E2114FA7CCCAAA7ED0AE935CB0BD84E0D0D155C1DEFB03EB0C64057AD6A9673E2114FA7CCCAPCR0: A32CFED4F960494BC1311F7A31B52D5DE90FF501932670CD43AE6DBAD8735052PCR8: D2F8474CD82072464C11D7F7A3D5C37D078A8AA832D94B1B12E01BF400E0BBB4Signature version: 1Signature:4AB353BFAA7355B5CFEA4095822B540CED05775CB76EC3C419B5F6A3F15CC284415E4CB94D3A3FB5E150041C071A7CE17442AB8B112975931D37710A534288E794E552FD2B37FF49046AF9FEC340C26D6BE1B80FF9F42E47B8F12439A7C290BD3D454449B5D65F17066CCB8E0C4D8AB0FAEE034D27E546671177A4CBC9B4669ED218C879A3AA972D00C86549B2041C988D994756DB90EB6F2528721C096B60CF7D26087B87192D13904DF33236A9A4A6347F804302B0B96EC3421892CA16DBBDDFF75C1EA4FD2043168DD2C16A640D23663EAF65BB3E611ADF9A728C4F8229466900FB7D2C386F061B874E53B821C9668628277DA7372545076B1B0B9440B767

Additional References for Boot Integrity VisibilityRelated Documents


Command Reference (Catalyst 9500 Series Switches)For complete syntax and usage information forthe commands used in this chapter.

Feature History for Boot Integrity VisibilityThis table provides release and related information for features explained in this module.



Boot Integrity VisibilityAdditional References for Boot Integrity Visibility


Boot Integrity Visibility allows Cisco's platformidentity and software integrity information to bevisible and actionable. Platform identity providesthe platform’s manufacturing installed identity.


Boot Integrity VisibilityCisco IOS XE Fuji 16.8.1a


Boot Integrity VisibilityCisco IOS XE Fuji 16.9.1



Boot Integrity VisibilityFeature History for Boot Integrity Visibility


C H A P T E R 3Performing Device Setup Configuration

• Restrictions for Performing Device Setup Configuration, on page 47• Information About Performing Device Setup Configuration, on page 47• How to Perform Device Setup Configuration, on page 59• Configuration Examples for Device Setup Configuration, on page 73• Additional References For Performing Device Setup, on page 92• Feature History for Performing Device Setup Configuration, on page 92

Restrictions for Performing Device Setup Configuration• Subpackage software installation is not supported.

Information About Performing Device Setup ConfigurationThe following sections provide information about how to perform a device setup configuration, including IPaddress assignments and Dynamic Host Configuration Protocol (DHCP) auto configuration.

Device Boot ProcessTo start your device, you need to follow the procedures described in the Cisco Catalyst 9500 Series SwitchesHardware Installation Guide for installing and powering on the device and setting up the initial deviceconfiguration.

The normal boot process involves the operation of the boot loader software and includes these activities:

• Performs low-level CPU initialization. This process initializes the CPU registers that control wherephysical memory is mapped, the quantity and speed of the physical memory, and so forth.

• Initializes the file systems on the system board.

• Loads a default operating system software image into memory and boots up the device.

• Performs power-on self-test (POST) for the CPU subsystem and tests the system DRAM. As part ofPOST, the following tests are also performed:

Cisco Catalyst 9500 Series Switches:


• Power over Ethernet (PoE) controller functionality test to check the chip accessibility, firmwaredownload, and health status of the power-sourcing equipment.

• Thermal test to verify the temperature reading from the device sensor.

• Fan modules test to verify if all the inserted fan modules are working properly on the board.

• Federal Information Processing Standard (FIPS) MACsec test.

Cisco Catalyst 9500 Series High Performance Switches:

• MAC loopback test to verify the data path between the CPU and network ports connected to eachmodule. If this test fails for any of the ports, the ports are forced into error-disabled state, and themodule is marked as post-fail in the show module command output.

For information about the complete list of supported online diagnostics, see the Configuring OnlineDiagnostics chapter.

The boot loader provides access to the file systems before the operating system is loaded. Normally, the bootloader is used only to load, decompress, and start the operating system. After the boot loader gives the operatingsystem control of the CPU, the boot loader is not active until the next system reset or power-on.

Before you can assign device information, make sure you have connected a PC or terminal to the console portor a PC to the Ethernet management port, and make sure you have configured the PC or terminal-emulationsoftware baud rate and character format to match these of the device console port:

• Baud rate default is 9600.

• Data bits default is 8.

If the data bits option is set to 8, set the parity option to none.Note

• Stop bits default is 2 (minor).

• Parity settings default is none.

Software Install OverviewThe Software Install feature provides a uniform experience across different types of upgrades, such as fullimage install, Software Maintenance Upgrade (SMU), In-Service Software Upgrade (ISSU)and In-ServiceModel Update (data model package).

The Software Install feature facilitates moving from one version of the software to another version in installmode. Use the install command in privileged EXEC mode to install or upgrade a software image. You canalso downgrade to a previous version of the software image, using the install mode.

The method that you use to upgrade Cisco IOS XE software depends on whether the switch is running ininstall mode or in bundle mode. In bundle mode or consolidated boot mode, a .bin image file is used from alocal or remote location to boot the device. In the install boot mode, the bootloader uses the packages.conffile to boot up the device.

The following software install features are supported on your switch:

• Software bundle installation on a standalone switch.


Performing Device Setup ConfigurationSoftware Install Overview

• Software rollback to a previously installed package set.

• Emergency installation in the event that no valid installed packages reside on the boot flash.

This feature is not supported on the Cisco Catalyst 9500 Series High PerformanceSwitches.

Note

Software Boot ModesYour device supports two modes to boot the software packages:

• Installed mode

• Bundle mode

Installed Boot Mode

You can boot your device in installed mode by booting the software package provisioning file that resides inflash:Switch: boot flash:packages.conf

The packages.conf file for particular release is created on following the install workflow described in thesection, Installing a Software Package.

Note

The provisioning file contains a list of software packages to boot, mount, and run. The ISO file system ineach installed package is mounted to the root file system directly from flash.

The packages and provisioning file used to boot in installed mode must reside in flash. Booting in installedmode from usbflash0: or tftp: is not supported.

Note

Bundle Boot Mode

You can boot your device in bundle boot mode by booting the bundle (.bin) file:switch: boot flash:cat9k_iosxe.16.05.01a.SPA.bin

The provisioning file contained in a bundle is used to decide which packages to boot, mount, and run. Packagesare extracted from the bundle and copied to RAM. The ISO file system in each package is mounted to theroot file system.

Unlike install boot mode, additional memory that is equivalent to the size of the bundle is used when bootingin bundle mode.

Unlike install boot mode, bundle boot mode is available from several locations:

• flash:

• usbflash0:


Performing Device Setup ConfigurationSoftware Boot Modes

• tftp:

Changing the Boot Mode

To change a device running in bundle boot mode to install mode, set the boot variable to flash:packages.conf,and execute the install add file flash:cat9k_2.bin activate commit command. After the command is executed,the device reboots in install boot mode.

Installing the Software PackageYou can install the software package on a device by using the install add, install activate, and install commitcommands in privileged EXEC mode.

The install add command copies the software package from a local or remote location to the device. Thelocation can be FTP, HTTP, HTTPs, or TFTP. The command extracts individual components of the .bin fileinto sub-packages and packages.conf file. It also validates the file to ensure that the image file is specific tothe platform.

For the install activate command to work, the package must be available in the device bootflash. When thiscommand is configured, previously added packages from the .bin file get activated, and the system reloads.

Enable the install commit command to make updates persistent over reloads.

Installing an update replaces any previously installed software image. At any time, only one image is installedon the device.

The following flow chart explains how the software install works:Figure 3: Committing a Software Package

The install activate command reloads the device with the new image.Note

Terminating a Software InstallYou can terminate the activation of a software image in the following ways:

• Using the install activate auto-abort-timer command. When the device reloads after activating a newimage, the auto-abort-timer is triggered. If the timer expires before issuing the install commit command,then the installation process is terminated; the device reloads again and boots up with the previous versionof the software image.

Use the install auto-abort-timer stop command to stop this timer.


Performing Device Setup ConfigurationChanging the Boot Mode

• Using the install abort command. This command rolls back to the version that was running beforeinstalling the new software. Use this command before issuing the install commit command.

Devices Information AssignmentYou can assign IP information through the device setup program, through a DHCP server, or manually.

Use the device setup program if you want to be prompted for specific IP information. With this program, youcan also configure a hostname and an enable secret password.

It gives you the option of assigning a Telnet password (to provide security during remote management) andconfiguring your switch as a command or member switch of a cluster or as a standalone switch.

Use a DHCP server for centralized control and automatic assignment of IP information after the server isconfigured.

If you are using DHCP, do not respond to any of the questions in the setup program until the device receivesthe dynamically assigned IP address and reads the configuration file.

Note

If you are an experienced user familiar with the device configuration steps, manually configure the device.Otherwise, use the setup program described in section Device Boot Process, on page 47.

Default Switch InformationTable 4: Default Switch Information


No IP address or subnet mask are defined.IP address and subnet mask

No default gateway is defined.Default gateway

No password is defined.Enable secret password

The factory-assigned default hostname is device.Hostname

No password is defined.Telnet password

Disabled.Cluster command switch functionality

No cluster name is defined.Cluster name

DHCP-Based Autoconfiguration OverviewDHCP provides configuration information to Internet hosts and internetworking devices. This protocol consistsof two components: one for delivering configuration parameters from a DHCP server to a device and anoperation for allocating network addresses to devices. DHCP is built on a client-server model, in whichdesignated DHCP servers allocate network addresses and deliver configuration parameters to dynamicallyconfigured devices. The device can act as both a DHCP client and a DHCP server.


Performing Device Setup ConfigurationDevices Information Assignment

During DHCP-based autoconfiguration, your device (DHCP client) is automatically configured at startupwith IP address information and a configuration file.

With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your device. However,you need to configure the DHCP server for various lease options associated with IP addresses.

If you want to use DHCP to relay the configuration file location on the network, you might also need toconfigure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.

We recommend a redundant connection between a switch stack and the DHCP, DNS, and TFTP servers. Thisis to help ensure that these servers remain accessible in case one of the connected stack members is removedfrom the switch stack.

Note

The DHCP server for your device can be on the same LAN or on a different LAN than the device. If theDHCP server is running on a different LAN, you should configure a DHCP relay device between your deviceand the DHCP server. A relay device forwards broadcast traffic between two directly connected LANs. Arouter does not forward broadcast packets, but it forwards packets based on the destination IP address in thereceived packet.

DHCP-based autoconfiguration replaces the BOOTP client functionality on your device.

DHCP Client Request ProcessWhen you boot up your device, the DHCP client is invoked and requests configuration information from aDHCP server when the configuration file is not present on the device. If the configuration file is present andthe configuration includes the ip address dhcp interface configuration command on specific routed interfaces,the DHCP client is invoked and requests the IP address information for those interfaces.

This is the sequence of messages that are exchanged between the DHCP client and the DHCP server.Figure 4: DHCP Client and Server Message Exchange

The client, Device A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP serveroffers configuration parameters (such as an IP address, subnet mask, gateway IP address, DNS IP address, alease for the IP address, and so forth) to the client in a DHCPOFFER unicast message.

In a DHCPREQUEST broadcast message, the client returns a formal request for the offered configurationinformation to the DHCP server. The formal request is broadcast so that all other DHCP servers that receivedthe DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered tothe client.

The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACKunicast message to the client. With this message, the client and server are bound, and the client usesconfiguration information received from the server. The amount of information the device receives dependson how you configure the DHCP server.

If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (aconfiguration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server.


Performing Device Setup ConfigurationDHCP Client Request Process

The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offeredconfiguration parameters have not been assigned, that an error has occurred during the negotiation of theparameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP serverassigned the parameters to another client).

A DHCP client might receive offers frommultiple DHCP or BOOTP servers and can accept any of the offers;however, the client usually accepts the first offer it receives. The offer from the DHCP server is not a guaranteethat the IP address is allocated to the client; however, the server usually reserves the address until the clienthas had a chance to formally request the address. If the device accepts replies from a BOOTP server andconfigures itself, the device broadcasts, instead of unicasts, TFTP requests to obtain the device configurationfile.

The DHCP hostname option allows a group of devices to obtain hostnames and a standard configuration fromthe central management DHCP server. A client (device) includes in its DCHPDISCOVERmessage an option12 field used to request a hostname and other configuration parameters from theDHCP server. The configurationfiles on all clients are identical except for their DHCP-obtained hostnames.

DHCP-Based Autoconfiguration and Image UpdateYou can use the DHCP image upgrade features to configure a DHCP server to download both a new imageand a new configuration file to one or more devices in a network. Simultaneous image and configurationupgrade for all switches in the network helps ensure that each new device added to a network receives thesame image and configuration.

There are two types of DHCP image upgrades: DHCP autoconfiguration and DHCP auto-image update.

Restrictions for DHCP-Based Autoconfiguration• The DHCP-based autoconfiguration with a saved configuration process stops if there is not at least oneLayer 3 interface in an up state without an assigned IP address in the network.

• Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration featuretries indefinitely to download an IP address.

• The auto-install process stops if a configuration file cannot be downloaded or if the configuration file iscorrupted.

• The configuration file that is downloaded from TFTP is merged with the existing configuration in therunning configuration but is not saved in the NVRAM unless you enter the write memory orcopy running-configuration startup-configuration privileged EXEC command. If the downloadedconfiguration is saved to the startup configuration, the feature is not triggered during subsequent systemrestarts.

DHCP AutoconfigurationDHCP autoconfiguration downloads a configuration file to one or more devices in your network from aDHCPserver. The downloaded configuration file becomes the running configuration of the device. It does not overwrite the bootup configuration saved in the flash, until you reload the device.


Performing Device Setup ConfigurationDHCP-Based Autoconfiguration and Image Update

DHCP Auto-Image UpdateYou can use DHCP auto-image upgrade with DHCP autoconfiguration to download both a configuration anda new image to one or more devices in your network. The devices (or devices) downloading the newconfiguration and the new image can be blank (or only have a default factory configuration loaded).

If the new configuration is downloaded to a switch that already has a configuration, the downloadedconfiguration is appended to the configuration file stored on the switch. (Any existing configuration is notoverwritten by the downloaded one.)

To enable a DHCP auto-image update on the device, the TFTP server where the image and configuration filesare located must be configured with the correct option 67 (the configuration filename), option 66 (the DHCPserver hostname) option 150 (the TFTP server address), and option 125 (description of the Cisco IOS imagefile) settings.

After you install the device in your network, the auto-image update feature starts. The downloaded configurationfile is saved in the running configuration of the device, and the new image is downloaded and installed on thedevice. When you reboot the device, the configuration is stored in the saved configuration on the device.

DHCP Server Configuration GuidelinesFollow these guidelines if you are configuring a device as a DHCP server:

• You should configure the DHCP server with reserved leases that are bound to each device by the devicehardware address.

• If you want the device to receive IP address information, you must configure the DHCP server with theselease options:

• IP address of the client (required)

• Subnet mask of the client (required)

• DNS server IP address (optional)

• Router IP address (default gateway address to be used by the device) (required)

• If you want the device to receive the configuration file from a TFTP server, you must configure theDHCP server with these lease options:

• TFTP server name (required)

• Boot filename (the name of the configuration file that the client needs) (recommended)

• Hostname (optional)

• Depending on the settings of the DHCP server, the device can receive IP address information, theconfiguration file, or both.

• If you do not configure the DHCP server with the lease options described previously, it replies to clientrequests with only those parameters that are configured. If the IP address and the subnet mask are not inthe reply, the device is not configured. If the router IP address or the TFTP server name are not found,the device might send broadcast, instead of unicast, TFTP requests. Unavailability of other lease optionsdoes not affect autoconfiguration.

• The device can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent featuresare enabled on your device but are not configured. (These features are not operational.)


Performing Device Setup ConfigurationDHCP Auto-Image Update

Purpose of the TFTP ServerBased on the DHCP server configuration, the device attempts to download one or more configuration filesfrom the TFTP server. If you configured the DHCP server to respond to the device with all the options requiredfor IP connectivity to the TFTP server, and if you configured the DHCP server with a TFTP server name,address, and configuration filename, the device attempts to download the specified configuration file fromthe specified TFTP server.

If you did not specify the configuration filename, the TFTP server, or if the configuration file could not bedownloaded, the device attempts to download a configuration file by using various combinations of filenamesand TFTP server addresses. The files include the specified configuration filename (if any) and these files:network-config, cisconet.cfg, hostname.config, or hostname.cfg, where hostname is the device’s currenthostname. The TFTP server addresses used include the specified TFTP server address (if any) and the broadcastaddress (255.255.255.255).

For the device to successfully download a configuration file, the TFTP server must contain one or moreconfiguration files in its base directory. The files can include these files:

• The configuration file named in the DHCP reply (the actual device configuration file).

• The network-confg or the cisconet.cfg file (known as the default configuration files).

• The router-confg or the ciscortr.cfg file (These files contain commands common to all device. Normally,if the DHCP and TFTP servers are properly configured, these files are not accessed.)

If you specify the TFTP server name in the DHCP server-lease database, you must also configure the TFTPserver name-to-IP-address mapping in the DNS-server database.

If the TFTP server to be used is on a different LAN from the device, or if it is to be accessed by the devicethrough the broadcast address (which occurs if the DHCP server response does not contain all the requiredinformation described previously), a relay must be configured to forward the TFTP packets to the TFTP server.The preferred solution is to configure the DHCP server with all the required information.

Purpose of the DNS ServerThe DHCP server uses the DNS server to resolve the TFTP server name to an IP address. You must configurethe TFTP server name-to-IP address map on the DNS server. The TFTP server contains the configurationfiles for the device.

You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from wherethe DHCP replies will retrieve them. You can enter up to two DNS server IP addresses in the lease database.

The DNS server can be on the same LAN or on a different LAN from the device. If it is on a different LAN,the device must be able to access it through a router.

How to Obtain Configuration FilesDepending on the availability of the IP address and the configuration filename in the DHCP reserved lease,the device obtains its configuration information in these ways:

• The IP address and the configuration filename is reserved for the device and provided in the DHCP reply(one-file read method).

The device receives its IP address, subnet mask, TFTP server address, and the configuration filenamefrom the DHCP server. The device sends a unicast message to the TFTP server to retrieve the namedconfiguration file from the base directory of the server and upon receipt, it completes its boot up process.


Performing Device Setup ConfigurationPurpose of the TFTP Server

• The IP address and the configuration filename is reserved for the device, but the TFTP server address isnot provided in the DHCP reply (one-file read method).

The device receives its IP address, subnet mask, and the configuration filename from the DHCP server.The device sends a broadcast message to a TFTP server to retrieve the named configuration file fromthe base directory of the server, and upon receipt, it completes its boot-up process.

• Only the IP address is reserved for the device and provided in the DHCP reply. The configuration filenameis not provided (two-file read method).

The device receives its IP address, subnet mask, and the TFTP server address from the DHCP server.The device sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.cfgdefault configuration file. (If the network-confg file cannot be read, the device reads the cisconet.cfgfile.)

The default configuration file contains the hostnames-to-IP-address mapping for the device. The devicefills its host table with the information in the file and obtains its hostname. If the hostname is not foundin the file, the device uses the hostname in the DHCP reply. If the hostname is not specified in the DHCPreply, the device uses the default Switch as its hostname.

After obtaining its hostname from the default configuration file or the DHCP reply, the device reads theconfiguration file that has the same name as its hostname (hostname-confg or hostname.cfg, dependingon whether network-confg or cisconet.cfg was read earlier) from the TFTP server. If the cisconet.cfg fileis read, the filename of the host is truncated to eight characters.

If the device cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the router-confgfile. If the device cannot read the router-confg file, it reads the ciscortr.cfg file.

The device broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if allattempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannotbe resolved to an IP address.

Note

How to Control Environment VariablesWith a normally operating device, you enter the boot loader mode only through the console connectionconfigured for 9600 bps. Unplug the device power cord, and press the Mode button while reconnecting thepower cord. You can release the Mode button after the system LED begins flashing green and remains solid.The boot loader device prompt then appears.

The device boot loader software provides support for nonvolatile environment variables, which can be usedto control how the boot loader, or any other software running on the system, operates. Boot loader environmentvariables are similar to environment variables that can be set on UNIX or DOS systems.

Environment variables that have values are stored in flash memory outside of the flash file system.

Each line in these files contains an environment variable name and an equal sign followed by the value of thevariable. A variable has no value if it is not present; it has a value if it is listed even if the value is a null string.A variable that is set to a null string (for example, “ ”) is a variable with a value. Many environment variablesare predefined and have default values.

You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOScommands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.


Performing Device Setup ConfigurationHow to Control Environment Variables

Common Environment VariablesThis table describes the function of the most common environment variables.

Table 5: Common Environment Variables

Cisco IOS Global ConfigurationCommand

Boot Loader CommandVariable

boot system {filesystem : /file-url ... |switch {number | all}}

Specifies the Cisco IOS image to loadduring the next boot cycle and the stackmembers on which the image is loaded.This command changes the setting ofthe BOOT environment variable.

The package provisioning file, alsoreferred to as the packages.conf file, isused by the system to determine whichsoftware packages to activate duringboot up.

• When booting in installed mode,the package provisioning filespecified in the boot command isused to determine which packagesto activate. For example bootflash:packages.conf.

• When booting in bundle mode, thepackage provisioning filecontained in the booted bundle isused to activate the packagesincluded in the bundle. Forexample, boot flash:image.bin.

set BOOT filesystem :/ file-url...

A semicolon-separated list ofexecutable files to try to loadand execute whenautomatically booting.

BOOT

boot manual

Enables manually booting the switchduring the next boot cycle and changesthe setting of the MANUAL_BOOTenvironment variable.

The next time you reboot the system,the switch is in boot loader mode. Toboot up the system, use the boot flash:filesystem :/ file-url boot loadercommand, and specify the name of thebootable image.

set MANUAL_BOOT yes

Decides whether the switchautomatically or manuallyboots.

Valid values are 1, yes, 0, andno. If it is set to no or 0, theboot loader attempts toautomatically boot up thesystem. If it is set to anythingelse, you must manually bootup the switch from the bootloader mode.

MANUAL_BOOT


Performing Device Setup ConfigurationCommon Environment Variables

Cisco IOS Global ConfigurationCommand

Boot Loader CommandVariable

boot config-file flash:/ file-url

Specifies the filename that Cisco IOSuses to read and write a nonvolatilecopy of the system configuration. Thiscommand changes the CONFIG_FILEenvironment variable.

set CONFIG_FILE flash:/file-url

Changes the filename thatCisco IOS uses to read andwrite a nonvolatile copy of thesystem configuration.

CONFIG_FILE

switch current-stack-member-numberrenumber new-stack-member-number

Changes the member number of a stackmember.

set SWITCH_NUMBERstack-member-number

Changes the member numberof a stack member.

SWITCH_NUMBER

switch stack-member-number prioritypriority-number

Changes the priority value of a stackmember.

set SWITCH_PRIORITYstack-member-number

Changes the priority value ofa stack member.

SWITCH_PRIORITY

line console 0

speed speed-value

Configures the baud rate.

set BAUD baud-rateBAUD

boot enable-break switch yes/no

Enables a break to the auto-boot cycle.You have 5 seconds to enter the breakcommand.

set ENABLE_BREAK yes/noENABLE_BREAK

Environment Variables for TFTPWhen the switch is connected to a PC through the Ethernet management port, you can download or upload aconfiguration file to the boot loader by using TFTP. Make sure the environment variables in this table areconfigured.

Table 6: Environment Variables for TFTP

DescriptionVariable

Specifies the MAC address of the switch.

We recommend that you do not modify this variable.Note

However, if you modify this variable after the boot loader is up or the value isdifferent from the saved value, enter this command before using TFTP. A reset isrequired for the new value to take effect.

MAC_ADDR

Specifies the IP address and the subnet mask for the associated IP subnet of theswitch.

IP_ADDRESS


Performing Device Setup ConfigurationEnvironment Variables for TFTP

DescriptionVariable

Specifies the IP address and subnet mask of the default gateway.DEFAULT_GATEWAY

Scheduled Reload of the Software ImageYou can schedule a reload of the software image to occur on the device at a later time (for example, late atnight or during the weekend when the device is used less), or you can synchronize a reload network-wide (forexample, to perform a software upgrade on all device in the network).

A scheduled reload must take place within approximately 24 days.Note

You have these reload options:

• Reload of the software to take affect in the specified minutes or hours and minutes. The reload must takeplace within approximately 24 hours. You can specify the reason for the reload in a string up to 255characters in length.

• Reload of the software to take place at the specified time (using a 24-hour clock). If you specify themonth and day, the reload is scheduled to take place at the specified time and date. If you do not specifythe month and day, the reload takes place at the specified time on the current day (if the specified timeis later than the current time) or on the next day (if the specified time is earlier than the current time).Specifying 00:00 schedules the reload for midnight.

The reload command halts the system. If the system is not set to manually boot up, it reboots itself.

If your device is configured for manual booting, do not reload it from a virtual terminal. This restrictionprevents the device from entering the boot loader mode and then taking it from the remote user’s control.

If you modify your configuration file, the device prompts you to save the configuration before reloading.During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILEenvironment variable points to a startup configuration file that no longer exists. If you proceed in this situation,the system enters setup mode upon reload.

To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.

How to Perform Device Setup ConfigurationUsing DHCP to download a new image and a new configuration to a device requires that you configure atleast two devices. One device acts as a DHCP and TFTP server and the second device (client) is configuredto download either a new configuration file or a new configuration file and a new image file.

Configuring DHCP Autoconfiguration (Only Configuration File)This task describes how to configure DHCP autoconfiguration of the TFTP and DHCP settings on an existingdevice in the network so that it can support the autoconfiguration of a new device.


Performing Device Setup ConfigurationScheduled Reload of the Software Image

Procedure



Example:

Step 1


Creates a name for the DHCP server addresspool, and enters DHCP pool configurationmode.

ip dhcp pool poolname

Example:

Device(config)# ip dhcp pool pool

Step 2

Specifies the name of the configuration filethat is used as a boot image.

boot filename

Example:

Step 3

Device(dhcp-config)# bootconfig-boot.text

Specifies the subnet network number andmaskof the DHCP address pool.

network network-number mask prefix-length

Example:

Step 4

The prefix length specifies thenumber of bits that comprise theaddress prefix. The prefix is analternative way of specifying thenetwork mask of the client. Theprefix length must be preceded bya forward slash (/).

NoteDevice(dhcp-config)# network 10.10.10.0255.255.255.0

Specifies the IP address of the default routerfor a DHCP client.

default-router address

Example:

Step 5

Device(dhcp-config)# default-router10.10.10.1

Specifies the IP address of the TFTP server.option 150 address

Example:

Step 6

Device(dhcp-config)# option 15010.10.10.1

Returns to global configuration mode.exit

Example:

Step 7


Performing Device Setup ConfigurationConfiguring DHCP Autoconfiguration (Only Configuration File)


Device(dhcp-config)# exit

Specifies the configuration file on the TFTPserver.

tftp-server flash:filename.text

Example:

Step 8

Device(config)# tftp-serverflash:config-boot.text

Specifies the address of the client that willreceive the configuration file.


Example:

Step 9

Device(config)# interfacefortygigabitethernet1/0/4

Puts the interface into Layer 3 mode.no switchport

Example:

Step 10

Device(config-if)# no switchport

Specifies the IP address and mask for theinterface.

ip address address mask

Example:

Step 11

Device(config-if)# ip address 10.10.10.1255.255.255.0


Example:

Step 12


Configuring DHCP Auto-Image Update (Configuration File and Image)This task describes DHCP autoconfiguration to configure TFTP and DHCP settings on an existing device tosupport the installation of a new switch.

Before you begin

You must first create a text file (for example, autoinstall_dhcp) that will be uploaded to the device. In the textfile, put the name of the image that you want to download (for example, cat9k_iosxe.16.xx.xx.SPA.bin).


Performing Device Setup ConfigurationConfiguring DHCP Auto-Image Update (Configuration File and Image)

Procedure



Example:

Step 1


Creates a name for the DHCP server addresspool and enter DHCP pool configurationmode.

ip dhcp pool poolname

Example:

Step 2

Device(config)# ip dhcp pool pool1

Specifies the name of the file that is used as aboot image.

boot filename

Example:

Step 3

Device(dhcp-config)# bootconfig-boot.text

Specifies the subnet network number andmaskof the DHCP address pool.

network network-number mask prefix-length

Example:

Step 4

The prefix length specifies thenumber of bits that comprise theaddress prefix. The prefix is analternative way of specifying thenetwork mask of the client. Theprefix length must be preceded bya forward slash (/).

NoteDevice(dhcp-config)# network 10.10.10.0255.255.255.0

Specifies the IP address of the default routerfor a DHCP client.

default-router address

Example:

Step 5

Device(dhcp-config)# default-router10.10.10.1

Specifies the IP address of the TFTP server.option 150 address

Example:

Step 6

Device(dhcp-config)# option 15010.10.10.1

Specifies the path to the text file that describesthe path to the image file.

option 125 hex

Example:

Step 7

Device(dhcp-config)# option 125 hex



PurposeCommand or Action0000.0009.0a05.08661.7574.6f69.6e73.7461.6c6c.5f64.686370

Uploads the text file to the device.copy tftp flash filename.txt

Example:

Step 8

Device(config)# copy tftp flashimage.bin

Uploads the tar file for the new image to thedevice.

copy tftp flash imagename.bin

Example:

Step 9

Device(config)# copy tftp flashimage.bin


Example:

Step 10

Device(dhcp-config)# exit

Specifies the Cisco IOS configuration file onthe TFTP server.

tftp-server flash: config.text

Example:

Step 11

Device(config)# tftp-serverflash:config-boot.text

Specifies the image name on the TFTP server.tftp-server flash: imagename.bin

Example:

Step 12

Device(config)# tftp-serverflash:image.bin

Specifies the text file that contains the nameof the image file to download

tftp-server flash: filename.txt

Example:

Step 13

Device(config)# tftp-serverflash:boot-config.text

Specifies the address of the client that willreceive the configuration file.


Example:

Step 14

Device(config)# interfacegigabitEthernet1/0/4




Puts the interface into Layer 3 mode.no switchport

Example:

Step 15

Device(config-if)# no switchport

Specifies the IP address and mask for theinterface.

ip address address mask

Example:

Step 16

Device(config-if)# ip address 10.10.10.1255.255.255.0


Example:

Step 17




Example:

Step 18


Configuring the Client to Download Files from DHCP Server

You should only configure and enable the Layer 3 interface. Do not assign an IP address or DHCP-basedautoconfiguration with a saved configuration.

Note

Procedure



Example:

Step 1


Enables autoconfiguration with a savedconfiguration.

boot host dhcp

Example:

Step 2

Device(conf)# boot host dhcp


Performing Device Setup ConfigurationConfiguring the Client to Download Files from DHCP Server


(Optional) Sets the amount of time the systemtries to download a configuration file.

boot host retry timeout timeout-value

Example:

Step 3

If you do not set a timeout, thesystemwill try indefinitely to obtainan IP address from the DHCP server.

NoteDevice(conf)# boot host retry timeout300

(Optional) Creates warning messages to bedisplayed when you try to save theconfiguration file to NVRAM.

banner config-save ^C warning-message ^C

Example:

Device(conf)# banner config-save ^C

Step 4

Caution - Saving Configuration Fileto NVRAM May Cause You to No longerAutomatically Download ConfigurationFiles at Reboot^C


Example:

Step 5


Verifies the configuration.show boot

Example:

Step 6

Device# show boot

Manually Assigning IP Information to Multiple SVIsThis task describes how to manually assign IP information to multiple switched virtual interfaces (SVIs):

Procedure




Device> enable


Example:

Step 2



Performing Device Setup ConfigurationManually Assigning IP Information to Multiple SVIs


Enters interface configuration mode, and entersthe VLAN to which the IP information isassigned. The range is 1 to 4094.

interface vlan vlan-id

Example:

Device(config)# interface vlan 99

Step 3

Enters the IP address and subnet mask.ip address ip-address subnet-mask

Example:

Step 4

Device(config-vlan)# ip address10.10.10.2 255.255.255.0


Example:

Step 5

Device(config-vlan)# exit

Enters the IP address of the next-hop routerinterface that is directly connected to the device

ip default-gateway ip-address

Example:

Step 6

where a default gateway is being configured.

Device(config)# ip default-gatewayThe default gateway receives IP packets withunresolved destination IP addresses from thedevice.

10.10.10.1

Once the default gateway is configured, thedevice has connectivity to the remote networkswith which a host needs to communicate.

When your device is configured toroute with IP, it does not need tohave a default gateway set.

Note

The device capwap relays ondefault-gateway configuration tosupport routed access point join thedevice.

Note


Example:

Step 7

Device(config)# end

Displays the interfaces status for the specifiedVLAN.

show interfaces vlan vlan-id

Example:

Step 8

Device# show interfaces vlan 99


Performing Device Setup ConfigurationManually Assigning IP Information to Multiple SVIs


Displays the Internet Control Message Protocol(ICMP) redirect messages.

show ip redirects

Example:

Step 9

Device# show ip redirects

Modifying Device Startup ConfigurationThe following sections provide information on how to modify the startup configuration of a device.

Specifying a Filename to Read and Write a System ConfigurationBy default, the Cisco IOS software uses the config.text file to read and write a nonvolatile copy of the systemconfiguration. However, you can specify a different filename, which will be loaded during the next boot cycle.

Before you begin

Use a standalone device for this task.

Procedure




Device> enable


Example:

Step 2


Specifies the configuration file to load duringthe next boot cycle.

boot flash:/file-url

Example:

Step 3

• file-url: The path (directory) and theconfiguration filename.Device(config)# boot flash:config.text

• Filenames and directory names arecase-sensitive.


Example:

Step 4

Device(config)# end


Performing Device Setup ConfigurationModifying Device Startup Configuration


Lists the contents of the BOOT environmentvariable (if set), the name of the configuration

show boot

Example:

Step 5

file pointed to by the CONFIG_FILE

Device# show bootenvironment variable, and the contents of theBOOTLDR environment variable.

• The boot global configuration commandchanges the setting of the CONFIG_FILEenvironment variable.



Example:

Step 6


Manually Booting the SwitchBy default, the switch automatically boots up; however, you can configure it to manually boot up.

Before you begin

Use a standalone switch for this task.

Procedure



Example:

Step 1


Enables the switch to manually boot up duringthe next boot cycle.

boot manual

Example:

Step 2

Device(config)# boot manual


Example:

Step 3

Device(config)# end

Verifies your entries.show bootStep 4

Example:


Performing Device Setup ConfigurationManually Booting the Switch


The boot manual global command changes thesetting of the MANUAL_BOOT environmentvariable.

Device# show boot

The next time you reboot the system, the switchis in boot loader mode, shown by the switch:prompt. To boot up the system, use the bootfilesystem:/file-url boot loader command.

• filesystem:—Uses flash: for the systemboard flash device.Switch: boot flash:

• For file-url—Specifies the path (directory)and the name of the bootable image.

Filenames and directory names arecase-sensitive.



Example:

Step 5


Booting the Device in Installed Mode

Installing a Software Package

You can install, activate, and commit a software package using a single command or using separate commands.This task shows how to use the install add file activate commit command for installing a software package.

Procedure




Copies the software install package from aremote location (via FTP, HTTP, HTTPs,

install add file tftp: filename [activatecommit]

Step 2

TFTP) to the device, performs a compatibilityExample: check for the platform and image versions,Device# install add filetftp://172.16.0.1//tftpboot/folder1/

activates the software package, and makes thepackage persistent across reloads.cat9k_iosxe.16.06.01.SPA.bin activate

commit • This command extracts the individualcomponents of the .bin file intosub-packages and packages.conf file.


Performing Device Setup ConfigurationBooting the Device in Installed Mode


• The device reloads after executing thiscommand.

Exits privileged EXECmode and returns to userEXEC mode.

exit

Example:

Step 3

Device# exit

Managing the Update Package

Procedure




Copies the software install package from aremote location (via FTP, HTTP, HTTPs,

install add file tftp: filename

Example:

Step 2

TFTP) to the device, and performs aDevice# install add filetftp://172.16.0.1//tftpboot/folder1/cat9k_iosxe.16.06.01.SPA.bin

compatibility check for the platform and imageversions.

• This command extracts the individualcomponents of the .bin file intosub-packages and packages.conf file.

Activates the added software install package,and reloads the device.

install activate [auto-abort-timer]

Example:

Step 3

• When doing a full software install, do notprovide a package filename.

Device# install activate

• The auto-abort-timer keyword,automatically rolls back the softwareimage activation.

The automatic timer is triggered after thenew image is activated. If the timer expiresprior to the issuing of the install commitcommand, then the install process isautomatically terminated. The devicereloads, and boots up with a previousversion of the software image.

(Optional) Terminates the software installactivation, and rolls back to the version that wasrunning before current installation procedure.

install abort

Example:Device# install abort

Step 4


Performing Device Setup ConfigurationManaging the Update Package


• You can use this command only when theimage is in an activated state; and not whenthe image is in a committed state.

Makes the changes persistent over reload.install commitStep 5

Example: • The install commit command completesthe new image installation. Changes areDevice# install commitpersistent across reloads until theauto-abort timer expires.

(Optional) Rolls back the update to the lastcommitted version.

install rollback to committed

Example:

Step 6

Device# install rollback to committed

(Optional) Deletes all unused and inactivesoftware installation files.

install remove {file filesystem: filename |inactive}

Example:

Step 7

Device# install remove inactive

Displays information about the active package.show install summaryStep 8

Example: • The output of this command variesaccording to the install commands that areconfigured.

Device# show install summary

Booting a Device in Bundle ModeThere are several methods by which you can boot the device — either by copying the bin file from the TFTPserver and then boot the device, or by booting the device straight from flash or USB flash using the commandsboot flash:<image.bin> or boot usbflash0:<image.bin> .

The following procedure explains how to boot the device from the TFTP server in the bundle mode.

Procedure


Sets the boot parameters.switch:BOOT=<source path of .bin file>

Example:

Step 1

switch:switch:BOOT=tftp://10.0.0.2/cat9k_iosxe.16.05.01a.SPA.binswitch:switch:

Boots the device.boot

Example:

Step 2

switch:boot


Performing Device Setup ConfigurationBooting a Device in Bundle Mode


(Optional) Displays the version of the imageinstalled.

show versionStep 3

Configuring a Scheduled Software Image ReloadThis task describes how to configure your device to reload the software image at a later time.

Procedure




Device> enable


Example:

Step 2


Saves your device configuration information tothe startup configuration before you use thereload command.


Example:Device# copy running-configstartup-config

Step 3

Schedules a reload of the software to take affectin the specified minutes or hours and minutes.

reload in [hh:]mm [text]

Example:

Step 4

The reload must take place within

Device# reload in 12approximately 24 days. You can specify thereason for the reload in a string up to 255characters in length.System configuration has been modified.

Save? [yes/no]: y

Specifies the time in hours and minutes for thereload to occur.

reload at hh:mm [month day | day month] [text]

Example:

Step 5

Use the at keyword only if thedevice system clock has been set(through Network Time Protocol(NTP), the hardware calendar, ormanually). The time is relative to theconfigured time zone on the device.To schedule reloads across severaldevices to occur simultaneously, thetime on each device must besynchronized with NTP.

NoteDevice(config)# reload at 14:00


Performing Device Setup ConfigurationConfiguring a Scheduled Software Image Reload


Cancels a previously scheduled reload.reload cancel

Example:

Step 6

Device(config)# reload cancel

Displays information about a previouslyscheduled reload or identifies if a reload hasbeen scheduled on the device.

show reload

Example:show reload

Step 7

Configuration Examples for Device Setup ConfigurationThe following sections provide configuration examples for device setup.

Examples: Displaying Software Bootup in Install ModeThe following example displays software bootup in install mode:switch: boot flash:packages.confAttempting to boot from [flash:packages.conf]Located packages.conf#

validate_package: SHA-1 hash:expected 340D5091:2872A0DD:03E9068C:3FDBECAB:69786462calculated 340D5091:2872A0DD:03E9068C:3FDBECAB:69786462

Image parsed from conf file is cat9k-rpboot.16.05.01a.SPA.pkg########################################################################################################################

Waiting for 120 seconds for other switches to boot#######################################################################################################################Switch number is 1

Restricted Rights Legend

Use, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706

Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.5.1a,RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2017 by Cisco Systems, Inc.Compiled Tue 30-May-17 00:36 by mcpre


Performing Device Setup ConfigurationConfiguration Examples for Device Setup Configuration

Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.All rights reserved. Certain components of Cisco IOS-XE software arelicensed under the GNU General Public License ("GPL") Version 2.0. Thesoftware code licensed under GPL Version 2.0 is free software that comeswith ABSOLUTELY NO WARRANTY. You can redistribute and/or modify suchGPL code under the terms of GPL Version 2.0. For more details, see thedocumentation or "License Notice" file accompanying the IOS-XE software,or the applicable URL provided on the flyer accompanying the IOS-XEsoftware.

FIPS: Flash Key Check : BeginFIPS: Flash Key Check : End, Not Found, FIPS Mode Not Enabled

This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email [email protected].

cisco C9300-48P (X86) processor with 818597K/6147K bytes of memory.Processor board ID FCW2049G03S2048K bytes of non-volatile configuration memory.8388608K bytes of physical memory.1638400K bytes of Crash Files at crashinfo:.11264000K bytes of Flash at flash:.0K bytes of WebUI ODM Files at webui:.

Base Ethernet MAC Address : 04:6c:9d:01:3b:80Motherboard Assembly Number : 73-17956-04Motherboard Serial Number : FOC20465ABUModel Revision Number : P4BMotherboard Revision Number : 04Model Number : C9300-48PSystem Serial Number : FCW2049G03S

%INIT: waited 0 seconds for NVRAM to be available

Defaulting CPP : Policer rate for all classes will be set to their defaults

Press RETURN to get started!

The following example displays software bootup in bundle mode:switch: boot flash:cat9k_iosxe.16.05.01a.SPA.bin

Attempting to boot from [flash:cat9k_iosxe.16.05.01a.SPA.bin]Located cat9k_iosxe.16.05.01a.SPA.bin


Performing Device Setup ConfigurationExamples: Displaying Software Bootup in Install Mode

######################################################################################################################Warning: ignoring ROMMON var "BOOT_PARAM"

Waiting for 120 seconds for other switches to boot#######################################################################################################################Switch number is 3




Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.5.1a,RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2017 by Cisco Systems, Inc.Compiled Tue 30-May-17 00:36 by mcpre






cisco C9300-24U (X86) processor with 818597K/6147K bytes of memory.Processor board ID FCW2111G00X2048K bytes of non-volatile configuration memory.


Performing Device Setup ConfigurationExamples: Displaying Software Bootup in Install Mode

8388608K bytes of physical memory.1638400K bytes of Crash Files at crashinfo:.11264000K bytes of Flash at flash:.15633392K bytes of USB Flash at usbflash0:.0K bytes of WebUI ODM Files at webui:.

Base Ethernet MAC Address : 04:6c:9d:1e:2a:80Motherboard Assembly Number : 73-17954-05Motherboard Serial Number : FOC21094MWLModel Revision Number : PPMotherboard Revision Number : 05Model Number : C9300-24USystem Serial Number : FCW2111G00X


Defaulting CPP : Policer rate for all classes will be set to their defaults


Example: Emergency InstallationThe following is a sample output of the emergency-install boot command:switch: emergency-install tftp://10.10.0.10/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.binWARNING: The system partition (bootflash:) will be erased during the system recovery installprocess.Are you sure you want to proceed? [y] y/n [n]: yStarting system recovery (tftp://10.10.0.10/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin)...Attempting to boot from [sda9:cat9k-recovery.SSA.bin]Located cat9k-recovery.SSA.bin###########################################################################################################################################

Warning: ignoring ROMMON var "BOOT_PARAM"

PLATFORM_TYPE C9500 speed 9600

Booting Recovery Image 16.5.1a

Initiating Emergency Installation of bundletftp://10.10.0.10/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin

Downloading bundle tftp://10.10.0.10/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin...curl_vrf=2% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed100 485M 100 485M 0 0 5143k 0 0:01:36 0:01:36 --:--:-- 5256k100 485M 100 485M 0 0 5143k 0 0:01:36 0:01:36 --:--:-- 5143k

Validating bundle tftp://10.10.0.10/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin...Installing bundle tftp://10.10.0.10/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin....Verifying bundle tftp://10.10.0.10/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin...Package cat9k-cc_srdriver.16.05.01a.SPA.pkg /temp//stage/cat9k-cc_srdriver.16.05.01a.SPA.pkgis Digitally Signed


Performing Device Setup ConfigurationExample: Emergency Installation

Package cat9k-espbase.16.05.01a.SPA.pkg /temp//stage/cat9k-espbase.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-guestshell.16.05.01a.SPA.pkg /temp//stage/cat9k-guestshell.16.05.01a.SPA.pkgis Digitally SignedPackage cat9k-rpbase.16.05.01a.SPA.pkg /temp//stage/cat9k-rpbase.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-sipbase.16.05.01a.SPA.pkg /temp//stage/cat9k-sipbase.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-sipspa.16.05.01a.SPA.pkg /temp//stage/cat9k-sipspa.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-srdriver.16.05.01a.SPA.pkg /temp//stage/cat9k-srdriver.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-webui.16.05.01a.SPA.pkg /temp//stage/cat9k-webui.16.05.01a.SPA.pkg is DigitallySignedPackage cat9k-wlc.16.05.01a.SPA.pkg /temp//stage/cat9k-wlc.16.05.01a.SPA.pkg is DigitallySignedPackage /cat9k-rpboot.16.05.01a.SPA.pkg /temp//rpboot/cat9k-rpboot.16.05.01a.SPA.pkg isDigitally SignedPreparing flash....Flash filesystem unmounted successfully /dev/sdb3Syncing device....Emergency Install successful... RebootingWill reboot now

Initializing Hardware...

System Bootstrap, Version 16.5.2r, RELEASE SOFTWARE (P)Compiled Wed 05/31/2017 15:58:35.22 by rel

Current image running:Primary Rommon Image

Last reset cause: SoftwareReloadC9300-12Q platform with 8388608 Kbytes of main memory

Example: Managing an Update Package

The following example shows how to add a software package file:Device# install add file flash:cat9k_iosxe.16.06.02.SPA.bin activate commit

install_add_activate_commit: START Mon Oct 30 19:54:51 UTC 2017

System configuration has been modified.Press Yes(y) to save the configuration and proceed.Press No(n) for proceeding without saving the configuration.Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q]yBuilding configuration...

[OK]Modified configuration has been saved

*Oct 30 19:54:55.633: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 19:54:55 install_engine.sh:

%INSTALL-5-INSTALL_START_INFO: Started install one-shotflash:cat9k_iosxe.16.06.02.SPA.bininstall_add_activate_commit: Adding PACKAGE

This operation requires a reload of the system. Do you want to proceed?Please confirm you have changed boot config to flash:packages.conf [y/n]y

--- Starting initial file syncing ---Info: Finished copying flash:cat9k_iosxe.16.06.02.SPA.bin to the selected switch(es)Finished initial file syncing


Performing Device Setup ConfigurationExample: Managing an Update Package

--- Starting Add ---Performing Add on all members[1] Add package(s) on switch 1[1] Finished Add on switch 1

Checking status of Add on [1]Add: Passed on [1]Finished Add

install_add_activate_commit: Activating PACKAGEFollowing packages shall be activated:/flash/cat9k-wlc.16.06.02.SPA.pkg/flash/cat9k-webui.16.06.02.SPA.pkg/flash/cat9k-srdriver.16.06.02.SPA.pkg/flash/cat9k-sipspa.16.06.02.SPA.pkg/flash/cat9k-sipbase.16.06.02.SPA.pkg/flash/cat9k-rpboot.16.06.02.SPA.pkg/flash/cat9k-rpbase.16.06.02.SPA.pkg/flash/cat9k-guestshell.16.06.02.SPA.pkg/flash/cat9k-espbase.16.06.02.SPA.pkg/flash/cat9k-cc_srdriver.16.06.02.SPA.pkg

This operation requires a reload of the system. Do you want to proceed? [y/n]y--- Starting Activate ---Performing Activate on all members[1] Activate package(s) on switch 1[1] Finished Activate on switch 1

Checking status of Activate on [1]Activate: Passed on [1]Finished Activate

--- Starting Commit ---Performing Commit on all members

*Oct 30 19:57:41.145: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 19:57:41 rollback_timer.sh:

%INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: Install auto abort timer will expire in 7200seconds [1]Commit package(s) on switch 1[1] Finished Commit on switch 1

Checking status of Commit on [1]Commit: Passed on [1]Finished Commit

Install will reload the system now!SUCCESS: install_add_activate_commit Mon Oct 30 19:57:48 UTC 2017

Device#*Oct 30 19:57:48.384: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 19:57:48 install_engine.sh:

%INSTALL-5-INSTALL_COMPLETED_INFO: Completed install one-shot PACKAGEflash:cat9k_iosxe.16.06.02.SPA.bin

Chassis 1 reloading, reason - Reload command

The following is a sample output of the show install summary command after adding a softwarepackage file to a device:Device# show install summary

[ R0 ] Installed Package(s) Information:State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated & Committed, D - Deactivated & Uncommitted



--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG I 16.6.1.0IMG C 16.6.2.0

The following example shows how to activate an added software package file:Device# install activate

install_activate: START Mon Oct 30 20:14:20 UTC 2017install_activate: Activating PACKAGE


%INSTALL-5-INSTALL_START_INFO: Started install activateFollowing packages shall be activated:/flash/cat9k-wlc.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-webui.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-sipspa.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-sipbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-rpboot.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-guestshell.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-espbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg/flash/cat9k-cc_srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg

This operation requires a reload of the system. Do you want to proceed? [y/n]y--- Starting Activate ---Performing Activate on all members[1] Activate package(s) on switch 1--- Starting list of software package changes ---Old files list:Removed cat9k-cc_srdriver.16.06.02.SPA.pkgRemoved cat9k-espbase.16.06.02.SPA.pkgRemoved cat9k-guestshell.16.06.02.SPA.pkgRemoved cat9k-rpbase.16.06.02.SPA.pkgRemoved cat9k-rpboot.16.06.02.SPA.pkgRemoved cat9k-sipbase.16.06.02.SPA.pkgRemoved cat9k-sipspa.16.06.02.SPA.pkgRemoved cat9k-srdriver.16.06.02.SPA.pkgRemoved cat9k-webui.16.06.02.SPA.pkgRemoved cat9k-wlc.16.06.02.SPA.pkg

New files list:Added cat9k-cc_srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-espbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-guestshell.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-rpboot.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-sipbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-sipspa.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-webui.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgAdded cat9k-wlc.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkg

Finished list of software package changes[1] Finished Activate on switch 1


*Oct 30 20:15:56.572: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 20:15:56 rollback_timer.sh:%INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: Install auto abort timer will expire in 7200



secondsInstall will reload the system now!SUCCESS: install_activate Mon Oct 30 20:16:01 UTC 2017

Device#*Oct 30 20:16:01.935: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 20:16:01install_engine.sh: %INSTALL-5-INSTALL_COMPLETED_INFO: Completed install activate PACKAGE


The following sample output from the show install summary command displays the status of thesoftware package as active and uncommitted:Device# show install summary


C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG I 16.6.2.0IMG U 16.6.1.0Device#

The following example shows how to execute the install commit command:

Device# install commitinstall_commit: START Fri Jun 23 21:24:45 IST 2017install_commit: Committing PACKAGE

--- Starting Commit ---Performing Commit on Active/Standby[R0] Commit package(s) on R0[R0] Finished Commit on R0

Checking status of Commit on [R0]Commit: Passed on [R0]Finished Commit

SUCCESS: install_commit Fri Jun 23 21:24:48 IST 2017

Device#

The following example shows how to rollback an update package to the base package:Device# install rollback to committed

install_rollback: START Mon Oct 30 20:53:33 UTC 2017

This operation requires a reload of the system. Do you want to proceed? [y/n]

*Oct 30 20:53:34.713: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 20:53:34install_engine.sh: %INSTALL-5-INSTALL_START_INFO: Started install rollback

--- Starting Rollback ---Performing Rollback on all members[1] Rollback package(s) on switch 1--- Starting rollback impact ---Changes that are part of this rollbackCurrent : rp 0 0 rp_boot cat9k-rpboot.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 rp_boot cat9k-rpboot.16.06.02.prd9.SPA.pkgReplacement: rp 0 0 rp_boot cat9k-rpboot.16.06.02.SPA.pkgReplacement: rp 1 0 rp_boot cat9k-rpboot.16.06.02.SPA.pkg



Current : cc 0 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 0 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 0 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 1 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 1 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 1 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 10 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 10 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 10 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 2 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 2 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 2 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 3 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 3 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 3 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 4 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 4 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 4 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 5 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 5 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 5 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 6 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 6 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 6 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 7 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 7 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 7 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 8 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 8 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 8 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : cc 9 0 cc_srdriver cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgCurrent : cc 9 0 cc cat9k-sipbase.16.06.02.prd9.SPA.pkgCurrent : cc 9 0 cc_spa cat9k-sipspa.16.06.02.prd9.SPA.pkgCurrent : fp 0 0 fp cat9k-espbase.16.06.02.prd9.SPA.pkgCurrent : fp 1 0 fp cat9k-espbase.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 guestshell cat9k-guestshell.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 rp_base cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 rp_daemons cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 rp_iosd cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 rp_security cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 rp_webui cat9k-webui.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 rp_wlc cat9k-wlc.16.06.02.prd9.SPA.pkgCurrent : rp 0 0 srdriver cat9k-srdriver.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 guestshell cat9k-guestshell.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 rp_base cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 rp_daemons cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 rp_iosd cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 rp_security cat9k-rpbase.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 rp_webui cat9k-webui.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 rp_wlc cat9k-wlc.16.06.02.prd9.SPA.pkgCurrent : rp 1 0 srdriver cat9k-srdriver.16.06.02.prd9.SPA.pkgReplacement: cc 0 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 0 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 0 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 1 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 1 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 1 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 10 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 10 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 10 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 2 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 2 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 2 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 3 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkg



Replacement: cc 3 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 3 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 4 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 4 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 4 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 5 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 5 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 5 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 6 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 6 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 6 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 7 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 7 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 7 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 8 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 8 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 8 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 9 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 9 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 9 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: fp 0 0 fp cat9k-espbase.16.06.02.SPA.pkgReplacement: fp 1 0 fp cat9k-espbase.16.06.02.SPA.pkgReplacement: rp 0 0 guestshell cat9k-guestshell.16.06.02.SPA.pkgReplacement: rp 0 0 rp_base cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_daemons cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_iosd cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_security cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_webui cat9k-webui.16.06.02.SPA.pkgReplacement: rp 0 0 rp_wlc cat9k-wlc.16.06.02.SPA.pkgReplacement: rp 0 0 srdriver cat9k-srdriver.16.06.02.SPA.pkgReplacement: rp 1 0 guestshell cat9k-guestshell.16.06.02.SPA.pkgReplacement: rp 1 0 rp_base cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 1 0 rp_daemons cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 1 0 rp_iosd cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 1 0 rp_security cat9k-rpbase.16.06.02.SPA.pkg


Replacement: rp 1 0 rp_webui cat9k-webui.16.06.02.SPA.pkgReplacement: rp 1 0 rp_wlc cat9k-wlc.16.06.02.SPA.pkgReplacement: rp 1 0 srdriver cat9k-srdriver.16.06.02.SPA.pkgFinished rollback impact

[1] Finished Rollback on switch 1Checking status of Rollback on [1]Rollback: Passed on [1]Finished Rollback

Install will reload the system now!SUCCESS: install_rollback Mon Oct 30 20:54:23 UTC 2017

Device#*Oct 30 20:54:23.576: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 20:54:23install_engine.sh: %INSTALL-5-INSTALL_COMPLETED_INFO: Completed install rollback PACKAGE*Oct 30 20:54:25.416: %STACKMGR-1-RELOAD: Switch 1 R0/0: stack_mgr:Reloading due to reason Reload command Oct 30 20:54:31.615 FP0/0: %PMAN-5-EXITACTION:Process manager is exiting: reload fp action requestedOct 30 20:54

The following is a sample output from the install remove inactive command:Device# install remove inactive

install_remove: START Mon Oct 30 19:51:48 UTC 2017Cleaning up unnecessary package files



Scanning boot directory for packages ... done.Preparing packages list to delete ...done.

The following files will be deleted:[switch 1]:/flash/cat9k-cc_srdriver.16.06.02.SPA.pkg/flash/cat9k-espbase.16.06.02.SPA.pkg/flash/cat9k-guestshell.16.06.02.SPA.pkg/flash/cat9k-rpbase.16.06.02.SPA.pkg/flash/cat9k-rpboot.16.06.02.SPA.pkg/flash/cat9k-sipbase.16.06.02.SPA.pkg/flash/cat9k-sipspa.16.06.02.SPA.pkg/flash/cat9k-srdriver.16.06.02.SPA.pkg/flash/cat9k-webui.16.06.02.SPA.pkg/flash/cat9k-wlc.16.06.02.SPA.pkg/flash/packages.conf

Do you want to remove the above files? [y/n]y[switch 1]:Deleting file flash:cat9k-cc_srdriver.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-espbase.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-guestshell.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-rpbase.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-rpboot.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-sipbase.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-sipspa.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-srdriver.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-webui.16.06.02.SPA.pkg ... done.Deleting file flash:cat9k-wlc.16.06.02.SPA.pkg ... done.Deleting file flash:packages.conf ... done.SUCCESS: Files deleted.--- Starting Post_Remove_Cleanup ---Performing Post_Remove_Cleanup on all members[1] Post_Remove_Cleanup package(s) on switch 1[1] Finished Post_Remove_Cleanup on switch 1

Checking status of Post_Remove_Cleanup on [1]Post_Remove_Cleanup: Passed on [1]Finished Post_Remove_Cleanup

SUCCESS: install_remove Mon Oct 30 19:52:25 UTC 2017Device#

The following is sample output from the install abort command:Device# install abort

/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly functioninstall_abort: START Mon Oct 30 20:27:32 UTC 2017install_abort: Abort type PACKAGE subtype NONE smutype NONE

This install abort would require a reload. Do you want to proceed? [y/n]

*Oct 30 20:27:33.189: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_engine: Startedinstall abort--- Starting Abort ---Performing Abort on all members/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function



/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function[1] Abort package(s) on switch 1--- Starting rollback impact ---Changes that are part of this rollbackCurrent : rp 0 0 rp_boot

cat9k-rpboot.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 rp_boot

cat9k-rpboot.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgReplacement: rp 0 0 rp_boot cat9k-rpboot.16.06.02.SPA.pkgReplacement: rp 1 0 rp_boot cat9k-rpboot.16.06.02.SPA.pkgCurrent : cc 0 0 cc_srdriver

cat9k-cc_srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : cc 0 0 cc

cat9k-sipbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : cc 0 0 cc_spa

cat9k-sipspa.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : cc 1 0 cc_srdriver



cat9k-sipspa.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : cc 10 0 cc



cat9k-cc_srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : cc 2 0 cc_srdriver


























cat9k-sipspa.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : fp 0 0 fp

cat9k-espbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : fp 1 0 fp

cat9k-espbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 guestshell

cat9k-guestshell.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 rp_base

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 rp_daemons

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 rp_iosd

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 rp_security

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 rp_webui

cat9k-webui.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 rp_wlc

cat9k-wlc.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 0 0 srdriver

cat9k-srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 guestshell

cat9k-guestshell.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 rp_base

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 rp_daemons

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 rp_iosd

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 rp_security

cat9k-rpbase.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 rp_webui

cat9k-webui.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 rp_wlc

cat9k-wlc.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgCurrent : rp 1 0 srdriver

cat9k-srdriver.BLD_POLARIS_DEV_LATEST_20171029_082249.SSA.pkgReplacement: cc 0 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 0 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 0 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 1 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 1 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 1 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 10 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 10 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 10 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 2 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 2 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 2 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 3 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 3 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 3 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkg



Replacement: cc 4 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 4 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 4 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 5 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 5 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 5 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 6 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 6 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 6 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 7 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 7 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 7 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 8 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 8 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 8 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: cc 9 0 cc_srdriver cat9k-cc_srdriver.16.06.02.SPA.pkgReplacement: cc 9 0 cc cat9k-sipbase.16.06.02.SPA.pkgReplacement: cc 9 0 cc_spa cat9k-sipspa.16.06.02.SPA.pkgReplacement: fp 0 0 fp cat9k-espbase.16.06.02.SPA.pkgReplacement: fp 1 0 fp cat9k-espbase.16.06.02.SPA.pkgReplacement: rp 0 0 guestshell cat9k-guestshell.16.06.02.SPA.pkgReplacement: rp 0 0 rp_base cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_daemons cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_iosd cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_security cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 0 0 rp_webui cat9k-webui.16.06.02.SPA.pkgReplacement: rp 0 0 rp_wlc cat9k-wlc.16.06.02.SPA.pkgReplacement: rp 0 0 srdriver cat9k-srdriver.16.06.02.SPA.pkgReplacement: rp 1 0 guestshell cat9k-guestshell.16.06.02.SPA.pkgReplacement: rp 1 0 rp_base cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 1 0 rp_daemons cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 1 0 rp_iosd cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 1 0 rp_security cat9k-rpbase.16.06.02.SPA.pkgReplacement: rp 1 0 rp_webui cat9k-webui.16.06.02.SPA.pkgReplacement: rp 1 0 rp_wlc cat9k-wlc.16.06.02.SPA.pkgReplacement: rp 1 0 srdriver cat9k-srdriver.16.06.02.SPA.pkgFinished rollback impact

[1] Finished Abort on switch 1Checking status of Abort on [1]Abort: Passed on [1]Finished Abort

/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function[1]: Performing MCU Upgrade Service/usr/binos/conf/provfunc.sh: line 8792: $l_log_file: ambiguous redirectSUCCESS: MCU Upgrade Service finished

Install will reload the system now!SUCCESS: install_abort Mon Oct 30 20:28:21 UTC 2017/usr/binos/conf/chasutils.sh: line 428: chasfs_is_dominica: readonly function

The following is a sample output from the install activate auto-abort-timer command:Device# install activate auto-abort-timer 30

install_activate: START Mon Oct 30 20:42:28 UTC 2017install_activate: Activating PACKAGE


%INSTALL-5-INSTALL_START_INFO: Started install activateFollowing packages shall be activated:/flash/cat9k-wlc.16.06.02.prd9.SPA.pkg/flash/cat9k-webui.16.06.02.prd9.SPA.pkg/flash/cat9k-srdriver.16.06.02.prd9.SPA.pkg/flash/cat9k-sipspa.16.06.02.prd9.SPA.pkg



/flash/cat9k-sipbase.16.06.02.prd9.SPA.pkg/flash/cat9k-rpboot.16.06.02.prd9.SPA.pkg/flash/cat9k-rpbase.16.06.02.prd9.SPA.pkg/flash/cat9k-guestshell.16.06.02.prd9.SPA.pkg/flash/cat9k-espbase.16.06.02.prd9.SPA.pkg/flash/cat9k-cc_srdriver.16.06.02.prd9.SPA.pkg

This operation requires a reload of the system. Do you want to proceed? [y/n]y--- Starting Activate ---Performing Activate on all members[1] Activate package(s) on switch 1--- Starting list of software package changes ---Old files list:Removed cat9k-cc_srdriver.16.06.02.SPA.pkgRemoved cat9k-espbase.16.06.02.SPA.pkgRemoved cat9k-guestshell.16.06.02.SPA.pkgRemoved cat9k-rpbase.16.06.02.SPA.pkgRemoved cat9k-rpboot.16.06.02.SPA.pkgRemoved cat9k-sipbase.16.06.02.SPA.pkgRemoved cat9k-sipspa.16.06.02.SPA.pkgRemoved cat9k-srdriver.16.06.02.SPA.pkgRemoved cat9k-webui.16.06.02.SPA.pkgRemoved cat9k-wlc.16.06.02.SPA.pkg

New files list:Added cat9k-cc_srdriver.16.06.02.prd9.SPA.pkgAdded cat9k-espbase.16.06.02.prd9.SPA.pkgAdded cat9k-guestshell.16.06.02.prd9.SPA.pkgAdded cat9k-rpbase.16.06.02.prd9.SPA.pkgAdded cat9k-rpboot.16.06.02.prd9.SPA.pkgAdded cat9k-sipbase.16.06.02.prd9.SPA.pkgAdded cat9k-sipspa.16.06.02.prd9.SPA.pkgAdded cat9k-srdriver.16.06.02.prd9.SPA.pkgAdded cat9k-webui.16.06.02.prd9.SPA.pkgAdded cat9k-wlc.16.06.02.prd9.SPA.pkg

Finished list of software package changes[1] Finished Activate on switch 1


*Oct 30 20:43:39.249: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 20:43:39 rollback_timer.sh:

%INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: Install auto abort timer will expire in 1800secondsInstall will reload the system now!SUCCESS: install_activate Mon Oct 30 20:43:44 UTC 2017

Device#*Oct 30 20:43:44.615: %IOSXE-5-PLATFORM: Switch 1 R0/0: Oct 30 20:43:44 install_engine.sh:

%INSTALL-5-INSTALL_COMPLETED_INFO: Completed install activate PACKAGEChassis 1 reloading, reason - Reload command



Verifying Software Install

Procedure

Step 1 enable

Example:Device> enable

Enables privileged EXEC mode.

• Enter your password if prompted.

Step 2 show install log

Example:Device# show install log

Displays information about all the software install operations that was performed since boot-up of the device.Device# show install log

[0|install_op_boot]: START Sun Jun 11 15:01:37 Universal 2017[0|install_op_boot]: END SUCCESS Sun Jun 11 15:01:44 Universal 2017[1|install_commit]: START Mon Jun 12 07:27:31 UTC 2017[1|install_commit(INFO, )]: Releasing transaction lock...[1|install_commit(CONSOLE, )]: Committing PACKAGE[remote|install_commit]: START Mon Jun 12 07:28:08 UTC 2017[remote|install_commit(INFO, )]: Releasing transaction lock...[remote|install_commit]: END SUCCESS Mon Jun 12 07:28:41 UTC 2017[1|install_commit(INFO, )]: [1 2 3]: Performing CommitSUCCESS: Commit finished

[1|install_commit(INFO, )]: install_commit: START Mon Jun 12 07:28:08 UTC 2017SUCCESS: install_commit Mon Jun 12 07:28:41 UTC 2017

[1|install_commit(INFO, )]: Remote output from switch 2[1|install_commit(INFO, )]: install_commit: START Mon Jun 12 07:28:12 UTC 2017SUCCESS: install_commit Mon Jun 12 07:28:44 UTC 2017

[1|install_commit(INFO, )]: install_commit: START Mon Jun 12 07:28:12 UTC 2017SUCCESS: install_commit Mon Jun 12 07:28:45 UTC 2017

[1|install_commit]: END SUCCESS Mon Jun 12 07:28:47 UTC 2017

Step 3 show install summary

Example:Device# show install summary

Displays information about the image versions and their corresponding install state for allmembers/field-replaceable unit (FRU).

• The output of this command differs based on the install command that is executed.



C - Activated & Committed, D - Deactivated & Uncommitted


Performing Device Setup ConfigurationVerifying Software Install

--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG I 16.6.2.0IMG C 16.6.1.0

Device#

Step 4 show install package filesystem: filename

Example:Device# show install package flash:cat9k_iosxe.16.06.01.SPA.bin

Displays information about the specified software install package file.Device# show install package flash:cat9k_iosxe.16.06.01.SPA.bin

Package: cat9k_iosxe.16.06.01.SPA.binSize: 333806196Timestamp: Sun Jun 11 14:47:23 2017 UTCCanonical path: /flash/cat9k_iosxe.16.06.01.SPA.bin

Raw disk-file SHA1sum:5e9ef6ed1f7472b35eddd61df300e44b14b65ec4

Header size: 1000 bytesPackage type: 10002Package flags: 0Header version: 3

Internal package information:Name: cc_srdriverBuildTime:ReleaseDate: Sun-27-Aug-17-09:05BootArchitecture: noneRouteProcessor: cat9kPlatform: CAT9KUser: mcprePackageName: cc_srdriverBuild: BLD_V166_THROTTLE_LATEST_20170827_090555CardTypes:

Package is not bootable.Device#

Step 5 show install active

Example:Device# show install active

Displays information about the active software install package.Device# show install active

[ R0 ] Active Package(s) Information:State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG C 16.6.2.0



Step 6 show install inactive

Example:Device# show install inactive

Displays information about the inactive packages.Device# show install inactive

[ R0 ] Inactive Package(s) Information:State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG I 16.7.1.0Device#

Step 7 show install committed

Example:Device# show install committed

Displays information about committed packages.Device# show install committed

[ R0 ] Committed Package(s) Information:State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG C 16.6.1.0Device#

Step 8 show install uncommitted

Example:Device# show install uncommitted

Displays information about uncommitted packages.Device# show install uncommitted

[ R0 ] Uncommitted Package(s) Information:State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG U 16.6.2.0Device#



Example: Configuring a Device as a DHCP Server

Device# configure terminalDevice(config)# ip dhcp pool pool1Device(dhcp-config)# network 10.10.10.0 255.255.255.0Device(dhcp-config)# boot config-boot.textDevice(dhcp-config)# default-router 10.10.10.1Device(dhcp-config)# option 150 10.10.10.1Device(dhcp-config)# exitDevice(config)# tftp-server flash:config-boot.textDevice(config)# interface gigabitethernet1/0/4Device(config-if)# no switchportDevice(config-if)# ip address 10.10.10.1 255.255.255.0Device(config-if)# end

Example: Configuring DHCP Auto-Image Update

Device# configure terminalDevice(config)# ip dhcp pool pool1Device(dhcp-config)# network 10.10.10.0 255.255.255.0Device(dhcp-config)# boot config-boot.textDevice(dhcp-config)# default-router 10.10.10.1Device(dhcp-config)# option 150 10.10.10.1Device(dhcp-config)# option 125 hex 0000.0009.0a05.08661.7574.6f69.6e73.7461.6c6c.5f64.686370

Device(dhcp-config)# exitDevice(config)# tftp-server flash:config-boot.textDevice(config)# tftp-server flash:image_nameDevice(config)# tftp-server flash:boot-config.textDevice(config)# tftp-server flash: autoinstall_dhcpDevice(config)# interface gigabitethernet1/0/4Device(config-if)# no switchportDevice(config-if)# ip address 10.10.10.1 255.255.255.0Device(config-if)# end

Example: Configuring a Device to Download Configurations from a DHCPServer

The following example shows how to use a Layer 3 SVI interface on VLAN 99 to enable DHCP-basedautoconfiguration with a saved configuration:

Device# configure terminalDevice(config)# boot host dhcpDevice(config)# boot host retry timeout 300Device(config)# banner config-save ^C Caution - Saving Configuration File to NVRAM May CauseYou to No longer Automatically Download Configuration Files at Reboot^CDevice(config)# vlan 99Device(config-vlan)# interface vlan 99Device(config-if)# no shutdownDevice(config-if)# endDevice# show boot

BOOT path-list:


Performing Device Setup ConfigurationExample: Configuring a Device as a DHCP Server

Config file: flash:/config.textPrivate Config file: flash:/private-config.textEnable Break: noManual Boot: noHELPER path-list:NVRAM/Config file

buffer size: 32768Timeout for Config

Download: 300 secondsConfig Download

via DHCP: enabled (next boot: enabled)Device#

Example: Scheduling Software Image ReloadThis example shows how to reload the software on a device on the current day at 7:30 p.m:

Device# reload at 19:30

Reload scheduled for 19:30:00 UTC Wed Jun 5 2013 (in 2 hours and 25 minutes)Proceed with reload? [confirm]

This example shows how to reload the software on a device at a future date and time:

Device# reload at 02:00 jun 20

Reload scheduled for 02:00:00 UTC Thu Jun 20 2013 (in 344 hours and 53 minutes)Proceed with reload? [confirm]

Additional References For Performing Device SetupRelated Documents


Command Reference (Catalyst9500 Series Switches)

Device setup commands

Boot loader commands

Cisco Catalyst 9500 SeriesSwitches Hardware InstallationGuide

.

Hardware installation

Feature History for Performing Device Setup ConfigurationThis table provides release and related information for features explained in this module.



Performing Device Setup ConfigurationExample: Scheduling Software Image Reload


A device setup configuration can be performed,including auto configuration of IP addressassignments and DHCP.


Device SetupConfiguration

Cisco IOSXEEverest 16.5.1a


Device SetupConfiguration

Cisco IOS XE Fuji 16.8.1a



Performing Device Setup ConfigurationFeature History for Performing Device Setup Configuration



Performing Device Setup ConfigurationFeature History for Performing Device Setup Configuration

C H A P T E R 4Configuring Smart Licensing

• Prerequisites for Configuring Smart Licensing, on page 95• Introduction to Smart Licensing, on page 95• Connecting to CSSM, on page 96• Linking Existing Licenses to CSSM, on page 98• Configuring a Connection to CSSM and Setting Up the License Level, on page 98• Registering a Device on CSSM, on page 108• Monitoring Smart Licensing Configuration, on page 113• Configuration Examples for Smart Licensing, on page 114• Additional References, on page 120• Feature History for Smart Licensing, on page 120

Prerequisites for Configuring Smart LicensingYou must have the following in CSSM:

• Cisco Smart Account

• One or more Virtual Account

• User role with proper access rights

• You should have accepted the Smart Software Licensing Agreement on CSSM to register devices.

• Network reachability to https://tools.cisco.com.

Introduction to Smart LicensingCisco Smart Licensing is a flexible licensingmodel that provides you with an easier, faster, and more consistentway to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure– you control what users can access. With Smart Licensing you get:

• Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across theentire organization—no more PAKs (Product Activation Keys).


https://software.cisco.com/

https://tools.cisco.com

• Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Ciscoproducts and services in an easy-to-use portal, so you always know what you have and what you areusing.

• License Flexibility: Your software is not node-locked to your hardware, so you can easily use and transferlicenses as needed.

To use Smart Licensing, youmust first set up a Smart Account on Cisco Software Central (software.cisco.com).

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.

Overview of CSSMCisco Smart Software Manager (CSSM) enables you to manage all your Cisco smart software licenses fromone centralized portal. With CSSM, you can organize and view your licenses in groups called virtual accounts(collections of licenses and product instances).

You can access the CSSM on https://software.cisco.com/#, by clicking the Smart Software Licensing linkunder the License tab.

Use a Chrome 32.0, Firefox 25.0, or Safari 6.0.5 web browser to access CSSM. Also, ensure that Javascript1.5 or a later version is enabled in your browser.

Note

Use the CSSM to do the following tasks:

• Create, manage, or view virtual accounts.

• Create and manage Product Instance Registration Tokens.

• Transfer licenses between virtual accounts or view licenses.

• Transfer, remove, or view product instances.

• Run reports against your virtual accounts.

• Modify your email notification settings.

• View overall account information.

CSSM Help describes the procedures for carrying out these tasks.

Connecting to CSSMThe following illustration shows the various options available to connect to CSSM:


Configuring Smart LicensingOverview of CSSM

http://software.cisco.com

https://cisco.com/go/licensingguide


Figure 5: Connection Options

1. Direct cloud access: In this method, Cisco products send usage information directly over the internet toCisco.com; no additional components are needed for the connection.

2. Direct cloud access through an HTTPs proxy: In this method, Cisco products send usage information overthe internet through a proxy server - either a Call Home Transport Gateway or an off-the-shelf proxy(such as Apache) to Cisco.com.

3. Mediated access through a connected on-premises collector: In this method, Cisco products send usageinformation to a locally-connected collector, which acts as a local license authority. Periodically, thisinformation is exchanged to keep the databases synchronized.

4. Mediated access through a disconnected on-premises collector: In this method, Cisco products send usageinformation to a local disconnected collector, which acts as a local license authority. Exchange ofhuman-readable information takes place occasionally (maybe once a month) to keep the databasessynchronized.


Configuring Smart LicensingConnecting to CSSM

Options 1 and 2 provide an easy connection option, and options 3 and 4 provide a secure environmentconnection option. Cisco Smart Software Manager On-Prem (formerly known as Cisco Smart SoftwareManager satellite) provides support for options 3 and 4.

Linking Existing Licenses to CSSMThe following section is required for those licenses that were purchased without a Cisco Smart Account. Theselicenses will not be available in CSSM after you have upgraded to Cisco IOSXE Fuji 16.9.1. You are requestedto contact the Cisco Global Licensing Operations (GLO) team with the following email template. Fill thetemplate with the appropriate information to request linking of your existing licenses to your Cisco SmartAccount in CSSM.

Email Template:

To: [email protected]

Subject: Request for Linking Existing Licenses to Cisco Smart Account

Email Text:

Cisco.com ID: #####

Smart virtual account name: #####

Smart account domain ID (domain in the form of "xyz.com"): #####

List of UDIs:

List of licenses with count:

Proof of purchase (Please attach your proof of purchase along with this mail)

Configuring a Connection to CSSM and Setting Up the LicenseLevel

The following sections provide information about how to set up a connection to CSSM and set up the licenselevel.

Setting Up a Connection to CSSMThe following steps show how to set up a Layer 3 connection to CSSM to verify network reachability. Skipthis section if you already have Layer 3 connectivity to CSSM.

Procedure



Example: Enter your password, if prompted.Device> enable


Configuring Smart LicensingLinking Existing Licenses to CSSM



Example:

Step 2


Configures Domain Name System (DNS).{ip | ipv6} name-server server-address 1[server-address 2] [server-address 3]

Step 3

[server-address 4] [server-address 5][server-address 6]

Example:Device(config)# ip name-server209.165.201.1 209.165.200.225209.165.201.14 209.165.200.230

(Optional) Configures DNS on the VRFinterface.

ip name-server vrf Mgmt-vrf server-address1 [server-address 2] [server-address 3]

Step 4

[server-address 4] [server-address 5][server-address 6] You should configure this

command as an alternative to the ipname-server command.

Note

Example:Device(config)# ip name-server vrfMgmt-vrf 209.165.201.1 209.165.200.225209.165.201.14 209.165.200.230

(Optional) Configures the source interface forthe DNS domain lookup.

ip domain lookup source-interfaceinterface-type interface-number

Example:

Step 5

Device(config)# ip domain lookupsource-interface Vlan100

Configures the domain name.ip domain name example.com

Example:

Step 6

Device(config)# ip domain nameexample.com

(Optional) Configures statichostname-to-address mappings in the DNS

ip host tools.cisco.com ip-address

Example:

Step 7

hostname cache if automatic DNS mapping isnot available.Device(config)# ip host tools.cisco.com

209.165.201.30

Configures a Layer 3 interface.interface vlan_id

Example:

Step 8

Device(config)# interface Vlan100Device(config-if)# ip address 192.0.2.10255.255.255.0Device(config-if)# exit

Forms a server association with the specifiedsystem.

ntp server ip-address [version number] [keykey-id] [prefer]

Step 9


Configuring Smart LicensingSetting Up a Connection to CSSM


Example: The ntp server command ismandatory to ensure that the devicetime is synchronized with CSSM.

Note

Device(config)# ntp server198.51.100.100 version 2 prefer

(Optional) Enables the VLAN for which thisaccess port carries traffic and sets the interface

switchport access vlan vlan_id

Example:

Step 10

as a nontrunking nontagged single-VLANEthernet interface.

Device(config)# interfaceGigabitEthernet1/0/1 This step is to be configured only

if the switchport access mode isrequired.

NoteDevice(config-if)# switchport accessvlan 100Device(config-if)# switchport modeaccessDevice(config-if)# exitDevice(config)#

Configures a route on the device.ip route ip-address ip-mask subnet maskStep 11

Example: You can configure either a staticroute or a dynamic route.

Note

Device(config)# ip route 192.0.2.0255.255.255.255 192.0.2.1

Enables the transport mode as Call Home.license smart transport callhomeStep 12

Example: The license smart transportcallhome command is mandatory.

Note

Device(config)# license smart transportcallhome

Configures a source interface for the HTTPclient.

ip http client source-interface interface-typeinterface-number

Step 13

Example: The ip http client source-interfaceinterface-type interface-numbercommand is mandatory.

Note

Device(config)# ip http clientsource-interface Vlan100

(Optional) Exits global configuration modeand returns to privileged EXEC mode.

exit

Example:

Step 14

Device(config)# exit



Example:

Step 15



Configuring Smart LicensingSetting Up a Connection to CSSM

Configuring the Call Home Service for Direct Cloud Access

By default, the CiscoTAC-1 profile is already set up on the device. Use the show call-home profile allcommand to check the profile status.

Note

The Call Home service provides email-based and web-based notification of critical system events to CSSM.

To configure and enable the Call Home service, perform this procedure:

Procedure





Example:

Step 2


Enters Call Home configuration mode.call-home

Example:

Step 3

Device(config)# call-home

Disables server identity check when HTTPconnection is established.

no http secure server-identity-check

Example:

Step 4

Device(config-call-home)# no http secureserver-identity-check

Assigns customer's email address. You canenter up to 200 characters in email addressformat with no spaces.

contact-email-address email-address

Example:Device(config-call-home)#contact-email-addr [email protected]

Step 5

By default, the CiscoTAC-1 profile is inactive.To use this profile with the Call Home service,you must enable the profile.

profile CiscoTAC-1

Example:Device(config-call-home)# profileCiscoTAC-1

Step 6

Enables the Call Home service via HTTP.destination transport-method http

Example:

Step 7

Device(config-call-home-profile)#destination transport-method http

Connects to CSSM.destination address http url

Example:

Step 8


Configuring Smart LicensingConfiguring the Call Home Service for Direct Cloud Access

PurposeCommand or ActionDevice(config-call-home-profile)#destination address httphttps://tools.cisco.com/its/service/oddce/services/DDCEService

Enables the destination profile.active

Example:

Step 9

Device(config-call-home-profile)# active

Disables the Call Home service via email.no destination transport-method email

Example:

Step 10

Device(config-call-home-profile)# nodestination transport-method email

Exits Call Home destination profileconfiguration mode and returns to Call Homeconfiguration mode.

exit

Example:Device(config-call-home-profile)# exit

Step 11

Exits Call Home configuration mode andreturns to global configuration mode.

exit

Example:

Step 12

Device(config-call-home)# exit

Enables the Call Home feature.service call-home

Example:

Step 13

Device(config)# service call-home

Exits global configuration mode and returnsto privileged EXEC mode.

exit

Example:

Step 14




Example:

Step 15


Configuring the Call Home Service for Direct Cloud Access through an HTTPsProxy Server

The Call Home service can be configured through an HTTPs proxy server. This configuration requires nouser authentication to connect to CSSM.

Authenticated HTTPs proxy configurations are not supported.Note

To configure and enable the Call Home service through an HTTPs proxy, perform this procedure:


Configuring Smart LicensingConfiguring the Call Home Service for Direct Cloud Access through an HTTPs Proxy Server

Procedure





Example:

Step 2



Example:

Step 3


Configures the default email address [email protected].

contact-email-address email-address

Example:

Step 4

Device(config-call-home)#[email protected]

Configures the proxy server information to theCall Home service.

http-proxy proxy-address proxy-portport-number

Example:

Step 5

Device(config-call-home)# http-proxy198.51.100.10 port 3128


profile CiscoTAC-1


Step 6

Enables the Call Home service via HTTP.destination transport-method http

Example:

Step 7


Disables the Call Home service via email.no destination transport-method email

Example:

Step 8

Device(config-call-home-profile)# nodestination transport-method email

Enters Call Home destination profileconfiguration mode for the specified

profile name

Example:

Step 9

destination profile name. If the specifieddestination profile does not exist, it is created.Device(config-call-home)# profile test1




Enables data sharing with the Call Homeservice via HTTP.

reporting smart-licensing-data

Example:

Step 10

Device(config-call-home-profile)#reporting smart-licensing-data

Enables the HTTP message transport method.destination transport-method http

Example:

Step 11


Connects to CSSM.destination address http url

Example:

Step 12

Device(config-call-home-profile)#destination address httphttps://tools.cisco.com/its/service/oddce/services/DDCEService

Enables the destination profile.active

Example:

Step 13



exit


Step 14


exit

Example:

Step 15


Enables the Call Home feature.service call-home

Example:

Step 16

Device(config)# service call-home

Enables the Call Home feature.ip http client proxy-server proxy-addressproxy-port port-number

Step 17

Example:Device(config)# ip http clientproxy-server 198.51.100.10 port 3128


exit

Example:

Step 18




Example:

Step 19




Configuring the Call Home Service for Cisco Smart Software Manager On-PremFor information about Cisco Smart Software Manager On-Prem (formerly known as Cisco Smart SoftwareManager satellite), see https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager-satellite.html.

To configure the Call Home service for the Cisco Smart Software Manager On-Prem (formerly known asCisco Smart Software Manager satellite), perform this procedure:

Procedure



Example: Enter your password if prompted.Device> enable


Example:

Step 2



Example:

Step 3



profile CiscoTAC-1


Step 4

Disable the default destination address.no destination address http url

Example:

Step 5

Device(config-call-home-profile)# nodestination address httphttps://tools.cisco.com/its/service/oddce/services/DDCEService

Disables server identity check when HTTPconnection is established.

no http secure server-identity-check

Example:

Step 6

Device(config-call-home)# no http secureserver-identity-check

Enters Call Home destination profileconfiguration mode for the specified

profile name

Example:

Step 7

destination profile name. If the specifieddestination profile does not exist, it is created.Device(config-call-home)# profile test1

Enables data sharing with the Call Homeservice via HTTP.

reporting smart-licensing-data

Example:

Step 8

Device(config-call-home-profile)#reporting smart-licensing-data


Configuring Smart LicensingConfiguring the Call Home Service for Cisco Smart Software Manager On-Prem

https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager-satellite.html


Enables the HTTP message transport method.destination transport-method http

Example:

Step 9


Configures the destination URL (CSSM) towhich Call Home messages are sent.

destination address http url

Example:

Step 10

NoteDevice(config-call-home-profile)#destination address http Ensure the IP address or the fully qualified

domain name (FQDN) in the destination URLhttps://209.165.201.15:443/Transportgateway/services/DeviceRequestHandler

matches the IP address or the FQDN asor configured for the Satellite Name on the Cisco

Smart Software Manager On-Prem.Device(config-call-home-profile)#destination address httphttp://209.165.201.15:80/Transportgateway/services/DeviceRequestHandler

(Optional) Configures a preferred messageformat. The default is XML.

destination preferred-msg-format {long-text| short-text | xml}

Example:

Step 11

Device(config-call-home-profile)#destination preferred-msg-format xml

Enables the destination profile. By default, aprofile is enabled when it is created.

active

Example:

Step 12



exit


Step 13


exit

Example:

Step 14


Configures a source interface for the HTTPclient.

ip http client source-interface interface-typeinterface-number

Step 15

Example: The ip http client source-interfaceinterface-type interface-numbercommand is mandatory for a vrfinterface.

Note

Device(config)# ip http clientsource-interface Vlan100

(Optional) Declares the trustpoint and a givenname and enters ca-trustpoint configurationmode.

crypto pki trustpoint name

Example:Device(config)# crypto pki trustpointSLA-TrustPoint

Step 16


Configuring Smart LicensingConfiguring the Call Home Service for Cisco Smart Software Manager On-Prem


(Optional) Specifies that certificate checkingis ignored.

revocation-check none

Example:

Step 17

Device(ca-trustpoint)# revocation-checknone

(Optional) Exits ca-trustpoint configurationmode and returns to privileged EXEC mode.

end

Example:

Step 18

Device(ca-trustpoint)# end



Example:

Step 19


Configuring the License LevelThis procedure is optional. You can use this procedure to :

• Downgrade or upgrade licenses.

• Enable or disable an evaluation or extension license

• Clear an upgrade license

The required license level(s) needs to be configured on the device before registering. The following are thelicense levels available for Cisco Catalyst 9000 Series Switches:

Base licenses

• Network Essentials

• Network Advantage (includes Network Essentials)

Add-on licenses—These can be subscribed for a fixed term of three, five, or seven years.

• Digital Networking Architecture (DNA) Essentials

• DNA Advantage (includes DNA Essentials)

To configure the license levels, follow this procedure:

Procedure





Configuring Smart LicensingConfiguring the License Level



Example:

Step 2


Activates the licenses on the switch.license boot level license_level

Example:

Step 3

Device(config)# license boot levelnetwork-essentials

Returns to the privileged EXEC mode.exit

Example:

Step 4


Saves the license information on the switch.write memory

Example:

Step 5

Device# write memory

Shows license-level information.show version

Example:

Step 6

Device# show version------------------------------------------------------------------------------Technology-package Current Type

Technology-packageNext reboot------------------------------------------------------------------------------network-essentials SmartLicensenetwork-essentialsNoneSubscription Smart License None

Reloads the device.reload

Example:

Step 7

Device# reload

Registering a Device on CSSMTo register a device on CSSM, you must do the following tasks:

1. Generate a unique token from the CSSM.

2. Register the device with the generated token.

On successful registration, the device will receive an identity certificate. This certificate is saved on yourdevice and automatically used for all future communications with Cisco. CSSM will attempt to renew theregistration information every 30 days.


Configuring Smart LicensingRegistering a Device on CSSM

Additionally, license usage data is collected and a report is sent to you every month. If required, you canconfigure your Call Home settings to filter out sensitive information (like hostname, username and password)from the usage report.

Downgrading a device from Cisco IOS XE Fuji 16.9.1 to any prior release will migrate the smart license totraditional license. All smart license information on the device will be removed. In case the device needs tobe upgraded back to Cisco IOS XE Fuji 16.9.1, the license status will remain in evaluation mode until thedevice is registered again in CSSM.

Note

Generating a New Token from CSSMTokens are generated to register new product instances to the virtual account.

Procedure

Step 1 Log in to CSSM from https://software.cisco.com/#.

You must log in to the portal using the username and password provided by Cisco.

Step 2 Click the Inventory tab.Step 3 From the Virtual Account drop-down list, choose the required virtual account.Step 4 Click the General tab.Step 5 Click New Token.

The Create Registration Token window is displayed.

Step 6 In the Description field, enter the token description.Step 7 In the Expire After field, enter the number of days the token must be active.


Configuring Smart LicensingGenerating a New Token from CSSM


Step 8 (Optional) In the Max. Number of Uses field, enter the maximum number of uses allowed after which thetoken expires.

Step 9 Check the Allow export-controlled functionality on the products registered with this token checkbox.

Enabling this checkbox ensures Cisco compliance with US and country-specific export policies and guidelines.For more information, see https://www.cisco.com/c/en/us/about/legal/global-export-trade.html.

Step 10 Click Create Token to create a token.Step 11 After the token is created, click Copy to copy the newly created token.

Registering a Device with the New TokenTo register a device with the new token, perform this procedure:


Configuring Smart LicensingRegistering a Device with the New Token

https://www.cisco.com/c/en/us/about/legal/global-export-trade.html

Procedure




Registers the device with the back-end serverusing the token generated from CSSM.

license smart register idtoken token_ID

Example:

Step 2

Device# license smart register idtoken$Tl4UytrNXBzbEs1ck8veUtWaG5abnZJOFdDa1FwbVRa%0AblRMbz0%3D%0A

Saves the license information on the device.write memory

Example:

Step 3


Verifying the License Status After RegistrationTo verify the status of a license after registration, use the show license all command.

Device> enableDevice# show license allSmart Licensing Status======================

Smart Licensing is ENABLED

Registration:Status: REGISTEREDSmart Account: Smart Account NameVirtual Account: Virtual Account 1Export-Controlled Functionality: AllowedInitial Registration: SUCCEEDED on Jul 16 09:44:50 2018 ISTLast Renewal Attempt: NoneNext Renewal Attempt: Jan 12 09:44:49 2019 ISTRegistration Expires: Jul 16 09:39:05 2019 IST

License Authorization:Status: AUTHORIZED on Jul 31 17:30:02 2018 ISTLast Communication Attempt: SUCCEEDED on Jul 31 17:30:02 2018 ISTNext Communication Attempt: Aug 30 17:30:01 2018 ISTCommunication Deadline: Oct 29 17:24:12 2018 IST

Export Authorization Key:Features Authorized:<none>

Utility:Status: DISABLED

Data Privacy:Sending Hostname: yesCallhome hostname privacy: DISABLEDSmart Licensing hostname privacy: DISABLED

Version privacy: DISABLED


Configuring Smart LicensingVerifying the License Status After Registration

Transport:Type: Callhome

License Usage==============

C9500 48Y4C DNA Advantage (C9500-DNA-48Y4C-A):Description: C9500 48Y4C DNA AdvantageCount: 1Version: 1.0Status: AUTHORIZEDExport status: NOT RESTRICTED

C9500 48Y4C NW Advantage (C9500-48Y4C-A):Description: C9500 48Y4C NW AdvantageCount: 1Version: 1.0Status: AUTHORIZEDExport status: NOT RESTRICTED

Product Information===================UDI: PID:C9500-48Y4C,SN:CAT2150L5HK

Agent Version=============Smart Agent for Licensing: 4.5.2_rel/32Component Versions: SA:(1_3_dev)1.0.15, SI:(dev22)1.2.1, CH:(rel5)1.0.3, PK:(dev18)1.0.3

Reservation Info================License reservation: DISABLED

Canceling a Device's Registration in CSSMWhen your device is taken off the inventory, shipped elsewhere for redeployment, or returned to Cisco forreplacement using the return merchandise authorization (RMA) process, you can use the deregister commandto cancel the registration of your device.

To cancel device registration, follow this procedure:

Before you begin

Layer 3 connection to CSSM must be available to successfully deregister the device.

Procedure




Cancels the device's registration, and sends thedevice into evaluationmode. All smart licensing

license smart deregister

Example:

Step 2

entitlements and certificates on theDevice# license smart deregister corresponding platform are removed. The


Configuring Smart LicensingCanceling a Device's Registration in CSSM


device product instance stored on CSSM is alsoremoved.

Monitoring Smart Licensing ConfigurationUse the following commands in privileged EXEC mode to monitor smart licensing configuration.

Table 7: Commands to Monitor Smart Licensing Configuration

PurposeCommand

Displays the compliance status of smart licensing.The following is the list of possible statuses:

• Enabled: Indicates that smart licensing isenabled.

• Waiting: Indicates the initial state after yourdevice has made a license entitlement request.The device establishes communication withCisco and successfully registers itself with theCSSM.

• Registered: Indicates that your device is able tocommunicate with the CSSM, and is authorizedto initiate requests for license entitlements.

• Authorized: Indicates that your device is inCompliance status and is authorized to use therequested type and count of licenses. TheAuthorization status has a lifetime of 90 days.At the end of 30 days, the device will send a newentitlement authorization request to the CSSMto renew the authorization.

• Out Of Compliance: Indicates that one or moreof your licenses are out of compliance. You mustbuy additional licenses.

• Eval Mode: You must register the device withthe CSSM within 90 days (of device usage).Otherwise, your device's evaluation period willexpire.

• Evaluation Period Expired: At the end of 90 days,if your device has not registered, the deviceenters Evaluation Expired mode.

show license status

Displays all the entitlements in use. Additionally, itshows the associated licensing certificates, compliancestatus, UDI, and other details.

show license all


Configuring Smart LicensingMonitoring Smart Licensing Configuration

PurposeCommand

Displays the detailed debug output.show tech-support license

Displays the license usage information.show license usage

Displays the summary of all the active licenses.show license summary

Configuration Examples for Smart LicensingThe following sections provide various Smart Licensing configuration examples.

Example: Viewing the Call Home Profile

Example

To display the Call Home profile, use the show call-home profile all command:

Device> enableDevice# show call-home profile allProfile Name: CiscoTAC-1

Profile status: ACTIVEProfile mode: Full ReportingReporting Data: Smart Call Home, Smart LicensingPreferred Message Format: xmlMessage Size Limit: 3145728 BytesTransport Method: httpHTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEServiceOther address(es): default

Periodic configuration info message is scheduled every 1 day of the month at 09:15

Periodic inventory info message is scheduled every 1 day of the month at 09:00

Alert-group Severity------------------------ ------------crash debugdiagnostic minorenvironment warninginventory normal

Syslog-Pattern Severity------------------------ ------------APF-.-WLC_.* warning.* major

Example: Viewing the License Information Before Registering

Example

To display the license entitlements, use the show license all command:


Configuring Smart LicensingConfiguration Examples for Smart Licensing

Device> enableDevice# show license all

Smart Licensing Status======================


Registration:Status: UNREGISTEREDExport-Controlled Functionality: Not Allowed

License Authorization:Status: EVAL MODEEvaluation Period Remaining: 68 days, 0 hours, 30 minutes, 5 seconds






C9500 48Y4C DNA Advantage (C9500-DNA-48Y4C-A):Description: C9500 48Y4C DNA AdvantageCount: 1Version: 1.0Status: EVAL MODE

C9500 48Y4C NW Advantage (C9500-48Y4C-A):Description: C9500 48Y4C NW AdvantageCount: 1Version: 1.0Status: EVAL MODE




Example

To display the license usage information, use the show license usage command:


Configuring Smart LicensingExample: Viewing the License Information Before Registering

Device> enableDevice# show license usage


C9500 48Y4C DNA Advantage (C9500-DNA-48Y4C-A):Description: C9500 48Y4C DNA AdvantageCount: 1Version: 1.0Status: EVAL MODE

C9500 48Y4C NW Advantage (C9500-48Y4C-A):Description: C9500 48Y4C NW AdvantageCount: 1Version: 1.0Status: EVAL MODE

Example

To display all the license summaries, use the show license summary command:

Device> enableDevice# show license summary




License Usage:License Entitlement tag Count Status-----------------------------------------------------------------------------

(C9500-DNA-48Y4C-A) 1 EVAL MODE(C9500-48Y4C-A) 1 EVAL MODE

Example

To display the license status information, use the show license status command:

Device> enableDevice# show license status





Configuring Smart LicensingExample: Viewing the License Information Before Registering





Example: Registering a Device

Example

To register a device, use the license smart register idtoken command:

Device> enableDevice# license smart register idtokenTl4UytrNXBzbEs1ck8veUtWaG5abnZJOFdDa1FwbVRa%0AblRMbz0%3D%0ADevice# write memory

Example: Viewing the License Status After Registering

Example

To display the license entitlements, use the show license all command:

Device> enableDevice# show license all

Smart Licensing Status======================


Registration:Status: REGISTEREDSmart Account: Smart Account NameVirtual Account: Virtual Account 1Export-Controlled Functionality: AllowedInitial Registration: SUCCEEDED on Jul 16 09:44:50 2018 ISTLast Renewal Attempt: NoneNext Renewal Attempt: Jan 12 09:44:49 2019 ISTRegistration Expires: Jul 16 09:39:05 2019 IST


Export Authorization Key:


Configuring Smart LicensingExample: Registering a Device

Features Authorized:<none>











Example

To display license usage information, use the show license usage command:

Device> enableDevice# show license usageLicense Authorization:Status: AUTHORIZED on Jul 31 17:30:02 2018 IST



Configuring Smart LicensingExample: Viewing the License Status After Registering


Example

To display all the license summaries, use the show license summary command:

Device> enableDevice# show license summarySmart Licensing is ENABLED

Registration:Status: REGISTEREDSmart Account: Smart Account NameVirtual Account: Virtual Account 1Export-Controlled Functionality: AllowedLast Renewal Attempt: NoneNext Renewal Attempt: Jan 12 09:44:49 2019 IST

License Authorization:Status: AUTHORIZEDLast Communication Attempt: SUCCEEDEDNext Communication Attempt: Aug 30 17:30:02 2018 IST

License Usage:License Entitlement tag Count Status-----------------------------------------------------------------------------C9500 48Y4C DNA Adva... (C9500-DNA-48Y4C-A) 1 AUTHORIZEDC9500 48Y4C NW Advan... (C9500-48Y4C-A) 1 AUTHORIZED

Example

To display the license status information, use the show license status command:

Device> enableDevice# show license statusSmart Licensing is ENABLED





Registration:Status: REGISTEREDSmart Account: Smart Account NameVirtual Account: Virtual Account 1


Configuring Smart LicensingExample: Viewing the License Status After Registering

Export-Controlled Functionality: AllowedInitial Registration: SUCCEEDED on Jul 16 09:44:50 2018 ISTLast Renewal Attempt: NoneNext Renewal Attempt: Jan 12 09:44:49 2019 ISTRegistration Expires: Jul 16 09:39:05 2019 IST


Additional ReferencesRelated Documents


Smart Software Manager HelpCisco Smart Software Manager Help

Cisco Smart Software Manager On-PremCisco Smart Software Manager On-Prem

Technical Assistance

LinkDescription

http://www.cisco.com/supportThe Cisco Support website provides extensive onlineresources, including documentation and tools fortroubleshooting and resolving technical issues withCisco products and technologies.

To receive security and technical information aboutyour products, you can subscribe to various services,such as the Product Alert Tool (accessed from FieldNotices), the Cisco Technical Services Newsletter,and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support websiterequires a Cisco.com user ID and password.

Feature History for Smart LicensingThis table provides release and related information for features explained in this module.



Configuring Smart LicensingAdditional References

https://www.cisco.com/web/fw/softwareworkspace/smartlicensing/SSMCompiledHelps/

https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager-satellite.html

http://www.cisco.com/support


A cloud-based, software license managementsolution that allows you to manage and track thestatus of your license, hardware, and software usagetrends.

Starting from this release, Smart Licensing is thedefault and the only available method to managelicenses.

Starting from Cisco IOS XE Fuji 16.9.1 theRight-To-Use (RTU) licensingmode is deprecated,and the associated license right-to-use commandis no longer available on the CLI.

Support for this feature was introduced on allmodels of Cisco Catalyst 9500 Series Switches.

Smart LicensingCisco IOS XE Fuji 16.9.1

An enhanced version of Smart Licensing, with theoverarching objective of providing a licensingsolution that does not interrupt the operations ofyour network, rather, one that enables a compliancerelationship to account for the hardware andsoftware licenses you purchase and use.

Starting with this release, Smart Licensing UsingPolicy is automatically enabled on the device. Thisis also the case when you upgrade to this release.

By default, your Smart Account and VirtualAccount in CSSM is enabled for Smart LicensingUsing Policy

For more information, see the Smart LicensingUsing Policy chapter in this guide.

Smart Licensing UsingPolicy

Cisco IOS XE Amsterdam17.3.2a

Use Cisco Feature Navigator to find information about platform and software image support. To access CiscoFeature Navigator, go to http://www.cisco.com/go/cfn


Configuring Smart LicensingFeature History for Smart Licensing



Configuring Smart LicensingFeature History for Smart Licensing

C H A P T E R 5Configuring Application Visibility and Control ina Wired Network

• Information About Application Visibility and Control in a Wired Network, on page 123• Supported AVC Class Map and Policy Map Formats, on page 124• Restrictions for Wired Application Visibility and Control, on page 125• How to Configure Application Visibility and Control, on page 126• Monitoring Application Visibility and Control, on page 151• Examples: Application Visibility and Control Configuration, on page 152• Basic Troubleshooting - Questions and Answers, on page 164• Additional References for Application Visibility and Control, on page 165• Feature History for Application Visibility and Control in a Wired Network, on page 165

Information About Application Visibility and Control in a WiredNetwork

This feature is not supported on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C modelsof the Cisco Catalyst 9500 Series Switches.

Note

Application Visibility and Control (AVC) is a critical part of Cisco’s efforts to evolve its Branch and Campussolutions from being strictly packet and connection based to being application-aware and application-intelligent.Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques withthe Network-Based Application Recognition (NBAR2) engine. AVC can be configured on wired access portsfor standalone switches. NBAR2 can be activated either explicitly on the interface by enablingprotocol-discovery or implicitly by attaching a QoS policy that contains match protocol classifier. WiredAVC Flexible NetFlow (FNF) can be configured on an interface to provide client, server and applicationstatistics per interface. The record is similar to application-client-server-stats traffic monitor which isavailable in application-statistics and application-performance profiles in Easy PerformanceMonitor (Easyperf-mon or ezPM).


Supported AVC Class Map and Policy Map FormatsThis section descriobes the supported avc class maps and policy map formats.

Supported AVC Class Map Format

DirectionClass Map ExampleClass Map Format

Both ingress andegress

class-map match-any NBAR-VOICEmatch protocol ms-lync-audio

match protocol protocol name

Both ingress andegress

class-map match-any NBAR-VOICEmatch protocol ms-lync-audiomatch dscp ef

Combination filters

Supported AVC Policy Format

QoS ActionPolicy Format

Mark and policeEgress policy based on match protocol filter

Mark and policeIngress policy based on match protocol filter

The following table describes the detailed AVC policy format with an example:

DirectionAVC Policy ExampleAVC Policy Format

Ingress and egresspolicy-map MARKING-INclass NBAR-MM_CONFERENCINGset dscp af41

Basic set

Ingress and egresspolicy-map POLICING-INclass NBAR-MM_CONFERENCINGpolice cir 600000set dscp af41

Basic police

Ingress and egresspolicy-map webex-policyclass webex-classset dscp efpolice 5000000

Basic set and police

Ingress and egresspolicy-map webex-policyclass webex-classset dscp af31police 4000000class class-webex-categoryset dscp efpolice 6000000class class-defaultset dscp <>

Multiple set and police includingdefault


Configuring Application Visibility and Control in a Wired NetworkSupported AVC Class Map and Policy Map Formats

DirectionAVC Policy ExampleAVC Policy Format

Ingress and egresspolicy-map webex-policyclass webex-classpolice 5000000service-policy client-in-police-only

policy-map client-in-police-onlyclass webex-classpolice 100000class class-webex-categoryset dscp efpolice 200000

Hierarchical police

policy-map webex-policyclass class-defaultpolice 1500000service policy client-up-childpolicy-map client-up-childclass webex-classpolice 100000set dscp efclass class-webex-categorypolice 200000set dscp af31

Hierarchical set and police

Restrictions for Wired Application Visibility and Control• AVC and Encrypted Traffic Analytics (ETA) cannot be configured together at the same time on the sameinterface.

• NBAR and transmit (Tx) Switched Port Analyzer (SPAN) is not supported on the same interface.

• Only one of the NBAR based QoS mechanisms are allowed to be attached to any port at the same time,either protocol based or attributes based. Only the following two attributes are supported:

• traffic-class

• business-relevance

• The legacy WDAVC QoS limitations are still applicable:

• Only marking and policing are supported.

• Only physical interfaces are supported.

• There is a delay in the QoS classification since the application classification is done offline (whilethe initial packet/s of the flow are meanwhile forwarded before the correct QoS classification).

• NBAR2 based match criteria match protocol will be allowed only with marking or policing actions.NBAR2 match criteria will not be allowed in a policy that has queuing features configured.

• ‘Match Protocol’: up to 255 concurrent different protocols in all policies (8 bits HW limitation).

• AVC is not supported on management port (Gig 0/0).


Configuring Application Visibility and Control in a Wired NetworkRestrictions for Wired Application Visibility and Control

• IPv6 packet classification is not supported.

• Only IPv4 unicast(TCP/UDP) is supported.

• Web UI: You can configure application visibility and perform application monitoring from the Web UI.Application Control can only be done using the CLI. It is not supported on the Web UI.

To manage and check wired AVC traffic on the Web UI, you must first configure ip http authenticationlocal and ip nbar http-service commands using the CLI.

• NBAR and ACL logging cannot be configured together on the same switch.

• Protocol-discovery, application-based QoS, and wired AVC FNF cannot be configured together at thesame time on the same interface with the non-application-based FNF. However, these wired AVC featurescan be configured with each other. For example, protocol-discovery, application-based QoS and wiredAVC FNF can be configured together on the same interface at the same time.

• Starting with Cisco IOS XE Fuji 16.9.1, up to two wired AVC monitors each with a different predefinedrecord can be attached to an interface at the same time.

• Two new directional flow records - ingress and egress - have been introduced in Cisco IOS XE Fuji16.9.1, in addition to the two existing legacy flow records.

• Attachment should be done only on physical Layer 2 and Layer 3 ports, and these ports cannot be partof a port channel. Attachment to trunk ports are not supported.

• Performance: Each switch member is able to handle 2000 connections per second (CPS) at less than 50%CPU utilization.

• Scale: Able to handle up to 20,000 bi-directional flows per 48 access ports and 10,000 bi-directionalflows per 24 access ports. (~200 flows per access port).

• Wired AVC allows only the fixed set of fields listed in the procedures of this chapter. Other combinationsare not allowed. For a regular FNF flowmonitor, other combinations are allowed (for the list of supportedFNF fields, refer the "Configuring Flexible NetFlow" chapter of theNetwork Management ConfigurationGuide).

• Starting with Cisco IOS XE 16.12.1 release, a new flow record has been included - the DNS flow record.The DNS flow record is similar to the 5-tuple record and includes the DNS domain name field. It accountsonly for DNS related fields. This record doesn't have the interface field as a match filed, so the informationfrom all interfaces is aggregated into the same record.

How to Configure Application Visibility and Control

Configuring Application Visibility and Control in a Wired NetworkTo configure application visibility and control on wired ports, follow these steps:

Configuring Visibility :

• Activate NBAR2 engine by enabling protocol-discovery on the interface using the ip nbarprotocol-discovery command in the interface configurationmode. See the section, "Enabling ApplicationRecognition on an Interface."


Configuring Application Visibility and Control in a Wired NetworkHow to Configure Application Visibility and Control

Configuring Control : Configure QoS policies based on application by

1. Creating an AVC QoS policy. See the section, "Creating AVC QoS Policy".

2. Applying AVC QoS policy to the interface. See the section, "Applying a QoS Policy to the Switch Port".

Configuring application-based Flexible Netflow :

• Create a flow record by specifying key and non-key fields to the flow.

• Create a flow exporter to export the flow record.

• Create a flow monitor based on the flow record and the flow exporter.

• Attach the flow monitor to the interface.

Protocol-Discovery, application-based QoS and application-based FNF are all independent features. Theycan be configured independently or together on the same interface at the same time.

Enabling Application Recognition on an interfaceTo enable application recognition on an interface, follow these steps:

Procedure



Example:

Step 1


Specifies the interface for which you areenabling protocol-discovery and enters interfaceconfiguration mode.


Example:

Device(config)# interface gigabitethernet

Step 2

1/0/1

Enables application recognition on the interfaceby activating NBAR2 engine.

ip nbar protocol-discovery

Example:

Step 3

Device(config-if)# ip nbarprotocol-discovery


Example:

Step 4



Configuring Application Visibility and Control in a Wired NetworkEnabling Application Recognition on an interface

Creating AVC QoS PolicyTo create AVC QoS policy, perform these general steps:

1. Create a class map with match protocol filters.

2. Create a policy map.

3. Apply the policy map to the interface.

Creating a Class Map

You need to create a class map before configuring any match protocol filter. The QoS actions such as markingand policing can be applied to the traffic. The AVC match protocol filters are applied to the wired accessports. For more information about the protocols that are supported, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html.

Procedure


Enters global configuration mode.terminal

Example:

Step 1


Creates a class map.class-map class-map-name

Example:

Step 2

Device(config)# class-map webex-class

Specifies match to the application name.match protocol application-name

Example:

Step 3

Device(config)# class-map webex-classDevice(config-cmap)# match protocolwebex-media

Returns to privileged EXEC mode.Alternatively, you can also press Ctrl-Z to exitglobal configuration mode.

end

Example:Device(config)# end

Step 4

Creating a Policy Map

Procedure



Example:

Step 1



Configuring Application Visibility and Control in a Wired NetworkCreating AVC QoS Policy

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html


Creates a policymap by entering the policymapname, and enters policy-map configurationmode.

policy-map policy-map-name

Example:

Device(config)# policy-map webex-policy

Step 2

By default, no policy maps are defined.

The default behavior of a policy map is to setthe DSCP to 0 if the packet is an IP packet andto set the CoS to 0 if the packet is tagged. Nopolicing is performed.

To delete an existing policy map, usethe no policy-map policy-map-nameglobal configuration command.

Note

Defines a traffic classification, and enterspolicy-map class configuration mode.

class [class-map-name | class-default]

Example:

Step 3

By default, no policy map and class maps aredefined.Device(config-pmap)# class webex-class

If a traffic class has already been defined byusing the class-map global configurationcommand, specify its name for class-map-namein this command.

A class-default traffic class is predefined andcan be added to any policy. It is always placedat the end of a policy map. With an impliedmatch any is included in the class-defaultclass, all packets that have not already matchedthe other traffic classes will matchclass-default.

To delete an existing class map, usethe no class class-map-namepolicy-map configuration command.

Note

Defines a policer for the classified traffic.police rate-bps burst-byteStep 4

Example: By default, no policer is defined.

Device(config-pmap-c)# police 10000080000

• For rate-bps, specify an average trafficrate in bits per second (b/s). The range is8000 to 10000000000.

• For burst-byte, specify the normal burstsize in bytes. The range is 1000 to512000000.

Classifies IP traffic by setting a new value inthe packet.

set {dscp new-dscp | cos cos-value}

Example:

Step 5


Configuring Application Visibility and Control in a Wired NetworkCreating a Policy Map


Device(config-pmap-c)# set dscp 45• For dscp new-dscp, enter a new DSCPvalue to be assigned to the classifiedtraffic. The range is 0 to 63.


end


Step 6

Applying a QoS Policy to the switch port

Procedure



Example:

Step 1


Enters the interface configuration mode.interface interface-id

Example:

Step 2

Device(config)# interface Gigabitethernet1/0/1

Applies local policy to interface.service-policy input policymapname

Example:

Step 3

Device(config-if)# service-policy inputMARKING_IN


end


Step 4

Configuring Wired AVC Flexible Netflow

Creating a Flow Record

Wired AVC FNF supports two types of predefined flow records — Legacy Bidirectional flow records andDirectional flow records (ingress and egress). A total of four different predefined flow records, two bidirectionalflow records and two directional flow records, can be configured and associated with a flow monitor. Thelegacy bidirectional records are client/server application statistics records, and the new directional recordsare application-stats for input/output.

Bidirectional Flow Records

Flow Record 1 - Bidirectional Flow Record


Configuring Application Visibility and Control in a Wired NetworkApplying a QoS Policy to the switch port

Procedure



Example:

Step 1


Enters flow record configuration mode.flow record flow_record_name

Example:

Step 2

Device(config)# flow record fr-wdavc-1

(Optional) Creates a description for the flowrecord.

description description

Example:

Step 3

Device(config-flow-record)# descriptionfr-wdavc-1

Specifies a match to the IP version from theIPv4 header.

match ipv4 version

Example:

Step 4

Device(config-flow-record)# match ipv4version

Specifies a match to the IPv4 protocol.match ipv4 protocol

Example:

Step 5

DEvice(config-flow-record)# match ipv4protocol

Specifies a match to the application name.match application nameStep 6

Example: This action is mandatory for AVCsupport, as this allows the flow tobe matched against the application.

Note

Device(config-flow-record)# matchapplication name

Specifies a match to the IPv4 address of theclient (flow initiator).

match connection client ipv4 address

Example:

Step 7

Device(config-flow-record)# matchconnection client ipv4 address

Specifies a match to the IPv4 address of theserver (flow responder).

match connection server ipv4 address

Example:

Step 8

Device(config-flow-record)# matchconnection server ipv4 address

Specifies a match to the transport port of theserver.

match connection server transport port

Example:

Step 9

Device(config-flow-record)# matchconnection server transport port

Specifies a match to the observation point IDfor flow observation metrics.

match flow observation point

Example:

Step 10


Configuring Application Visibility and Control in a Wired NetworkFlow Record 1 - Bidirectional Flow Record

PurposeCommand or ActionDevice(config-flow-record)# match flowobservation point

Specifies to collect the direction — Ingress orEgress — of the relevant side — Initiator or

collect flow direction

Example:

Step 11

Responder— of the bi-directional flow that isDevice(config-flow-record)# collect flowdirection

specified by the initiator keyword in thecollect connection initiator command in thestep below. Depending on the value specifiedby the initiator keyword, the flow directionkeyword takes the following values :

• 0x01 = Ingress Flow

• 0x02 = Egress Flow

When the initiator keyword is set to initiator,the flow direction is specified from the initiatorside of the flow. When the initiator keywordis set to responder, the flow direction isspecified from the responder side of the flow.For wired AVC, the initiator keyword isalways set to initiator.

Specifies to collect the side of the flow —Initiator or Responder — relevant to the

collect connection initiator

Example:

Step 12

direction of the flow specified by the collectDevice(config-flow-record)# collectconnection initiator

flow direction command. The initiatorkeyword provides the following informationabout the direction of the flow :

• 0x01 = Initiator - the flow source is theinitiator of the connection

For wired AVC, the initiator keyword isalways set to initiator.

Specifies to collect the number of connectioninitiations observed.

collect connection new-connections

Example:

Step 13

Device(config-flow-record)# collectconnection new-connections

Specifies to collect the number of packets sentby the client.

collect connection client counter packetslong

Example:

Step 14

Device(config-flow-record)# collectconnection client counter packets long

Specifies to collect the total number of bytestransmitted by the client.

collect connection client counter bytesnetwork long

Example:

Step 15



PurposeCommand or ActionDevice(config-flow-record)# collectconnection client counter bytes networklong

Specifies to collect the number of packets sentby the server.

collect connection server counter packetslong

Example:

Step 16

Device(config-flow-record)# collectconnection server counter packets long

Specifies to collect the total number of bytestransmitted by the server.

collect connection server counter bytesnetwork long

Example:

Step 17

Device(config-flow-record)# collectconnection server counter bytes networklong

Specifies to collect the time, in milliseconds,when the first packet was seen in the flow.

collect timestamp absolute first

Example:

Step 18

Device(config-flow-record)# collecttimestamp absolute first

Specifies to collect the time, in milliseconds,when the most recent packet was seen in theflow.

collect timestamp absolute last

Example:Device(config-flow-record)# collecttimestamp absolute last

Step 19

Returns to privileged EXEC mode.Alternatively, you can also pressCtrl-Z to exitglobal configuration mode.

end


Step 20

Displays information about all the flowrecords.

show flow record

Example:

Step 21

Device# show flow record

Flow Record 2 - Bidirectional Flow Record

Procedure



Example:

Step 1



Example:

Step 2



PurposeCommand or ActionDevice(config)# flow record fr-wdavc-1



Example:

Step 3

Device(config-flow-record)# descriptionfr-wdavc-1


match ipv4 version

Example:

Step 4



Example:

Step 5

Device(config-flow-record)# match ipv4protocol



Note




Example:

Step 7


(Optional) Specifies a match to the connectionport of the client as a key field for a flowrecord.

match connection client transport port

Example:Device(config-flow-record)# matchconnection client transport port

Step 8



Example:

Step 9




Example:

Step 10

Device(config-flow-record)# matchconnection server transport port

Specifies a match to the observation point IDfor flow observation metrics.

match flow observation point

Example:

Step 11

Device(config-flow-record)# match flowobservation point






Example:

Step 12








Example:

Step 13







Example:

Step 14




Example:

Step 15




Example:

Step 16



PurposeCommand or ActionDevice(config-flow-record)# collectconnection client counter bytes networklong



Example:

Step 17




Example:

Step 18




Example:

Step 19





Step 20


end


Step 21


show flow record

Example:

Step 22


Directional Flow Records

Flow Record 3 - Directional Flow Record - Ingress

Procedure



Example:

Step 1



Configuring Application Visibility and Control in a Wired NetworkDirectional Flow Records



Example:

Step 2




Example:

Step 3

Device(config-flow-record)# descriptionflow-record-1


match ipv4 version

Example:

Step 4



Example:

Step 5


Specifies a match to the IPv4 source addressas a key field.

match ipv4 source address

Example:

Step 6

Device(config-flow-record)# match ipv4source address

Specifies a match to the IPv4 destinationaddress as a key field.

match ipv4 destination address

Example:

Step 7

Device(config-flow-record)# match ipv4destination address

Specifies a match to the transport source portas a key field.

match transport source-port

Example:

Step 8

Device(config-flow-record)# matchtransport source-port

Specifies a match to the transport destinationport as a key field.

match transport destination-port

Example:

Step 9

Device(config-flow-record)# matchtransport destination-port

Specifies a match to the input interface as akey field.

match interface input

Example:

Step 10

Device(config-flow-record)# matchinterface input


Example:


Configuring Application Visibility and Control in a Wired NetworkFlow Record 3 - Directional Flow Record - Ingress

PurposeCommand or ActionDevice(config-flow-record)# matchapplication name

This action is mandatory for AVCsupport, as this allows the flow tobe matched against the application.

Note

Specifies to collect the output interface fromthe flows.

collect interface output

Example:

Step 12

Device(config-flow-record)# collectinterface output

Specifies to collect the number of bytes in aflow.

collect counter bytes long

Example:

Step 13

Device(config-flow-record)# collectcounter bytes long

Specifies to collect the number of packets ina flow.

collect counter packets long

Example:

Step 14

Device(config-flow-record)# collectcounter packets long



Example:

Step 15





Step 16


end


Step 17


show flow record

Example:

Step 18


Flow Record 4 - Directional Flow Record - Egress

Procedure



Example:

Step 1



Configuring Application Visibility and Control in a Wired NetworkFlow Record 4 - Directional Flow Record - Egress



Example:

Step 2




Example:

Step 3



match ipv4 version

Example:

Step 4



Example:

Step 5


Specifies a match to the IPv4 source addressas a key field.

match ipv4 source address

Example:

Step 6

Device(config-flow-record)# match ipv4source address

Specifies a match to the IPv4 destinationaddress as a key field.

match ipv4 destination address

Example:

Step 7

Device(config-flow-record)# match ipv4destination address

Specifies a match to the transport source portas a key field.

match transport source-port

Example:

Step 8

Device(config-flow-record)# matchtransport source-port

Specifies a match to the transport destinationport as a key field.

match transport destination-port

Example:

Step 9

Device(config-flow-record)# matchtransport destination-port

Specifies a match to the output interface as akey field.

match interface output

Example:

Step 10

Device(config-flow-record)# matchinterface output


Example:


Configuring Application Visibility and Control in a Wired NetworkFlow Record 4 - Directional Flow Record - Egress

PurposeCommand or ActionDevice(config-flow-record)# matchapplication name

This action is mandatory for AVCsupport, as this allows the flow tobe matched against the application.

Note

Specifies to collect the input interface from theflows.

collect interface input

Example:

Step 12

Device(config-flow-record)# collectinterface input

Specifies to collect the number of bytes in aflow.

collect counter bytes long

Example:

Step 13

Device(config-flow-record)# collectcounter bytes long

Specifies to collect the number of packets ina flow.

collect counter packets long

Example:

Step 14

Device(config-flow-record)# collectcounter packets long



Example:

Step 15





Step 16


end


Step 17


show flow record

Example:

Step 18


DNS Flow Record

Flow Record 5 - DNS Flow Record


Configuring Application Visibility and Control in a Wired NetworkDNS Flow Record

Procedure



Example:

Step 1



Example:

Step 2




Example:

Step 3



match ipv4 version

Example:

Step 4



Example:

Step 5




Note




Example:

Step 7


Specifies a match to the connection port of theclient as a key field for a flow record.

match connection client transport port

Example:

Step 8

Device(config-flow-record)# matchconnection client transport port



Example:

Step 9




Example:

Step 10


Configuring Application Visibility and Control in a Wired NetworkFlow Record 5 - DNS Flow Record

PurposeCommand or ActionDevice(config-flow-record)# matchconnection server transport port



Example:

Step 11








Example:

Step 12





Step 13



Example:

Step 14







Example:

Step 15



Configuring Application Visibility and Control in a Wired NetworkFlow Record 5 - DNS Flow Record




Example:

Step 16




Example:

Step 17




Example:

Step 18




Example:

Step 19

Device(config-flow-record)# collectconnection client counter bytes networklong

Configures the use of the DNSDomain-Nameas a Collect field for a DNS flow record.

collect application dns domain-name

Example:

Step 20

Device(config-flow-record)# collectapplication dns domain-name


end


Step 21

Creating a Flow Exporter

You can create a flow exporter to define the export parameters for a flow.

Procedure



Example:

Step 1



Configuring Application Visibility and Control in a Wired NetworkCreating a Flow Exporter


Enters flow exporter configuration mode.flow exporter flow_exporter_name

Example:

Step 2

Device(config)# flow exporterflow-exporter-1

(Optional) Creates a description for the flowexporter.


Example:

Step 3

Device(config-flow-exporter)# descriptionflow-exporter-1

Specifies the hostname, IPv4 or IPv6 addressof the system to which the exporter sends data.

destination { hostname | ipv4-address |ipv6-address }

Example:

Step 4

Device(config-flow-exporter)# destination10.10.1.1

(Optional) Configures the application tableoption for the flow exporter. The timeout option

option application-table [ timeout seconds]

Step 5

configures the resend time in seconds for theExample: flow exporter. The valid range is from 1 to

86400 seconds.Device(config-flow-exporter)# optionapplication-table timeout 500


end


Step 6

Displays information about all the flowexporters.

show flow exporter

Example:

Step 7

Device# show flow exporter

Displays flow exporter statistics.show flow exporter statistics

Example:

Step 8

Device# show flow exporter statistics

Creating a Flow Monitor

You can create a flow monitor and associate it with a flow record.

Procedure



Example:

Step 1



Configuring Application Visibility and Control in a Wired NetworkCreating a Flow Monitor


Creates a flowmonitor and enters flowmonitorconfiguration mode.

flow monitor monitor-name

Example:

Step 2

Device(config)# flow monitorflow-monitor-1

(Optional) Creates a description for the flowmonitor.


Example:

Step 3

Device(config-flow-monitor)# descriptionflow-monitor-1

Specifies the name of a record that was createdpreviously.

record record-name

Example:

Step 4

Device(config-flow-monitor)# recordflow-record-1

Specifies the name of an exporter that wascreated previously.

exporter exporter-name

Example:

Step 5

Device(config-flow-monitor)# exporterflow-exporter-1

(Optional) Specifies to configure flow cacheparameters.

cache { entries number-of-entries |timeout {active | inactive} | typenormal }

Step 6

• entries number-of-entries — Specifiesthe maximum number of flow entries inExample:the flow cache in the range from 16 to65536.

Device(config-flow-monitor)# cachetimeout active 1800

Only normal cache type issupported.

NoteExample:Device(config-flow-monitor)# cachetimeout inactive 200

Example:Device(config-flow-monitor)# cache typenormal


end


Step 7

Displays information about all the flowmonitors.

show flow monitor

Example:

Step 8

Device# show flow monitor

Displays information about the specified wiredAVC flow monitor.

show flow monitor flow-monitor-name

Example:

Step 9

Device# show flow monitor flow-monitor-1


Configuring Application Visibility and Control in a Wired NetworkCreating a Flow Monitor


Displays statistics for wired AVC flowmonitor.

show flow monitor flow-monitor-namestatistics

Example:

Step 10

Device# show flow monitor flow-monitor-1statistics

Clears the statistics of the specified flowmonitor. Use the show flow monitor

clear flow monitor flow-monitor-namestatistics

Step 11

flow-monitor-1 statistics command after usingExample: the clear flow monitor flow-monitor-1Device# clear flow monitorflow-monitor-1 statistics

statistics to verify that all the statistics havebeen reset.

Displays flow cache contents in a tabularformat.

show flow monitor flow-monitor-name cacheformat table

Example:

Step 12

Device# show flow monitor flow-monitor-1cache format table

Displays flow cache contents in similar formatas the flow record.

show flow monitor flow-monitor-name cacheformat record

Example:

Step 13

Device# show flow monitor flow-monitor-1cache format record

Displays flow cache contents in CSV format.show flow monitor flow-monitor-name cacheformat csv

Step 14

Example:Device# show flow monitor flow-monitor-1cache format csv

Associating Flow Monitor to an interface

You can attach two different wired AVC monitors with different predefined records to an interface at thesame time.

Procedure



Example:

Step 1


Enters the interface configuration mode.interface interface-idStep 2

Example:


Configuring Application Visibility and Control in a Wired NetworkAssociating Flow Monitor to an interface


Device(config)# interface Gigabitethernet1/0/1

Associates a flow monitor to the interface forinput and/or output packets.

ip flow monitor monitor-name { input |output }

Example:

Step 3

Device(config-if) # ip flow monitorflow-monitor-1 input


end


Step 4

NBAR2 Custom ApplicationsNBAR2 supports the use of custom protocols to identify custom applications. Custom protocols supportprotocols and applications that NBAR2 does not currently support.

In every deployment, there are local and specific applications which are not covered by the NBAR2 protocolpack provided by Cisco. Local applications are mainly categorized as:

• Specific applications to an organization

• Applications specific to a geography

NBAR2 provides a way to manually customize such local applications. You can manually customizeapplications using the command ip nbar custom myappname in global configuration mode. Customapplications take precedence over built-in protocols. For each custom protocol, user can define a selector IDthat can be used for reporting purposes.

There are various types of application customization:

Generic protocol customization

• HTTP

• SSL

• DNS

Composite : Customization based on multiple underlying protocols – server-name

Layer3/Layer4 customization

• IPv4 address

• DSCP values

• TCP/UDP ports

• Flow source or destination direction

Byte Offset : Customization based on specific byte values in the payload


Configuring Application Visibility and Control in a Wired NetworkNBAR2 Custom Applications

HTTP Customization

HTTP customization could be based on a combination of HTTP fields from:

• cookie - HTTP Cookie

• host - Host name of Origin Server containing resource

• method - HTTP method

• referrer - Address the resource request was obtained from

• url - Uniform Resource Locator path

• user-agent - Software used by agent sending the request

• version - HTTP version

• via - HTTP via field

HTTP Customization

Custom application called MYHTTP using the HTTP host “*mydomain.com” with Selector ID 10.Device# configure terminalDevice(config)# ip nbar custom MYHTTP http host *mydomain.com id 10

SSL Customization

Customization can be done for SSL encrypted traffic using information extracted from the SSL Server NameIndication (SNI) or Common Name (CN).

SSL Customization

Custom application called MYSSL using SSL unique-name “mydomain.com” with selector ID 11.Device# configure terminalDevice(config)#ip nbar custom MYSSL ssl unique-name *mydomain.com id 11

DNS Customization

NBAR2 examines DNS request and response traffic, and can correlate the DNS response to an application.The IP address returned from the DNS response is cached and used for later packet flows associated with thatspecific application.

The command ip nbar custom application-name dns domain-name id application-id is used for DNScustomization. To extend an existing application, use the command ip nbar custom application-name dnsdomain-name domain-name extends existing-application.

For more information on DNS based customization, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/xe-3s/asr1000/qos-nbar-xe-3s-asr-1000-book/nbar-custapp-dns-xe.html.

DNS Customization

Custom application called MYDNS using the DNS domain name “mydomain.com” with selectorID 12.


Configuring Application Visibility and Control in a Wired NetworkHTTP Customization

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/xe-3s/asr1000/qos-nbar-xe-3s-asr-1000-book/nbar-custapp-dns-xe.html

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/configuration/xe-3s/asr1000/qos-nbar-xe-3s-asr-1000-book/nbar-custapp-dns-xe.html

Device# configure terminalDevice(config)# ip nbar custom MYDNS dns domain-name *mydomain.com id 12

Composite Customization

NBAR2 provides a way to customize applications based on domain names appearing in HTTP, SSL or DNS.

Composite Customization

Custom application called MYDOMAIN using HTTP, SSL or DNS domain name “mydomain.com”with selector ID 13.Device# configure terminalDevice(config)# ip nbar custom MYDOMAIN composite server-name *mydomain.com id 13

L3/L4 Customization

Layer3/Layer4 customization is based on the packet tuple and is always matched on the first packet of a flow.

L3/L4 Customization

Custom application called LAYER4CUSTOM matching IP addresses 10.56.1.10 and 10.56.1.11,TCP and DSCP ef with selector ID 14.Device# configure terminalDevice(config)# ip nbar custom LAYER4CUSTOM transport tcp id 14Device(config-custom)# ip address 10.56.1.10 10.56.1.11Device(config-custom)# dscp ef

Examples: Monitoring Custom Applications

Show Commands for Monitoring Custom Applications

show ip nbar protocol-id | inc Custom

Device# show ip nbar protocol-id | inc CustomLAYER4CUSTOM 14 CustomMYDNS 12 CustomMYDOMAIN 13 CustomMYHTTP 10 CustomMYSSL 11 Custom

show ip nbar protocol-discovery protocol CUSTOM_APP

Device# show ip nbar protocol-id MYSSLProtocol Name id type----------------------------------------------MYSSL 11 Custom

NBAR2 Dynamic Hitless Protocol Pack UpgradeProtocol packs are software packages that update the NBAR2 protocol support on a device without replacingthe Cisco software on the device. A protocol pack contains information on applications officially supportedby NBAR2 which are compiled and packed together. For each application, the protocol-pack includes


Configuring Application Visibility and Control in a Wired NetworkComposite Customization

information on application signatures and application attributes. Each software release has a built-inprotocol-pack bundled with it.

Protocol packs provide the following features:

• They are easy and fast to load.

• They are easy to upgrade to a higher version protocol pack or revert to a lower version protocol pack.

• They do not require the switch to be reloaded.

When using switch stacking, ensure that each switch has the same Protocol Pack file loaded. If you executethe ip nbar protocol-pack flash protocol-pack-file command on the primary switch in the stack, any switchin the stack that does not have the file loaded will be reloaded due to a configuration mismatch.

Warning

NBAR2 protocol packs are available for download on Cisco Software Center from this URL:https://software.cisco.com/download/home .

Prerequisites for the NBAR2 Protocol Pack

Before loading a new protocol pack, you must copy the protocol pack to the flash on all the switch members.

To load a protocol pack, see Loading the NBAR2 Protocol Pack, on page 150 .

Loading the NBAR2 Protocol Pack

Procedure




Device> enable


Example:

Step 2


Loads the protocol pack.ip nbar protocol-pack protocol-pack[force]

Step 3

• Use the force keyword to specify and loada protocol pack of a lower version, whichExample:is different from the base protocol pack

Device(config)# ip nbar protocol-packflash:defProtoPack

version. This also removes theconfiguration that is not supported by thecurrent protocol pack on the switch.Example:

Device(config)# default ip nbarprotocol-pack For reverting to the built-in protocol pack, use

the following command:


Configuring Application Visibility and Control in a Wired NetworkPrerequisites for the NBAR2 Protocol Pack

https://software.cisco.com/download/home


Returns to privileged EXEC mode.exit

Example:

Step 4


Displays the protocol pack information.show ip nbar protocol-pack {protocol-pack |active} [detail]

Step 5

• Verify the loaded protocol pack version,publisher, and other details using thiscommand.

Example:

Device# show ip nbar protocol-pack active• Use the protocol-pack argument to displayinformation about the specified protocolpack.

• Use the active keyword to display activeprotocol pack information.

• Use the detail keyword to display detailedprotocol pack information.

Examples: Loading the NBAR2 Protocol Pack

The following example shows how to load a new protocol pack:Device> enableDevice# configure terminalDevice(config)# ip nbar protocol-pack flash:newDefProtoPackDevice(config)# exit

The following example shows how to use the force keyword to load a protocol pack of a lower version:Device> enableDevice# configure terminalDevice(config)# ip nbar protocol-pack flash:OldDefProtoPack forceDevice(config)# exit

The following example shows how to revert to the built-in protocol pack:Device> enableDevice# configure terminalDevice(config)# default ip nbar protocol-packDevice(config)# exit

Monitoring Application Visibility and ControlThis section describes the new commands for application visibility.

The following commands can be used to monitor application visibility on the switch and access ports.

Table 8: Monitoring Application Visibility Commands on the Switch

PurposeCommand


Configuring Application Visibility and Control in a Wired NetworkExamples: Loading the NBAR2 Protocol Pack

Displays the statistics gathered by the NBAR ProtocolDiscovery feature.

• (Optional) Enter keywords and arguments to fine-tunethe statistics displayed. For more information on eachof the keywords, refer to the show ip nbarprotocol-discoverycommand in Cisco IOS Qualityof Service Solutions Command Reference.

show ip nbar protocol-discovery [interfaceinterface-type interface-number][stats{byte-count | bit-rate | packet-count| max-bit-rate}] [protocol protocol-name| top-n number]

Displays information about policy map applied to theinterface.

show policy-map interface interface-typeinterface-number

Displays statistics about all flows on the specified switch.show platform software fed switch switch idwdavc flows

Examples: Application Visibility and Control ConfigurationThis example shows how to create class maps with apply match protocol filters for application name:Device# configure terminalDevice(config)# class-map match-any NBAR-VOICEDevice(config-cmap)# match protocol ms-lync-audioDevice(config-cmap)#end

This example shows how to create policy maps and define existing class maps for egress QoS:Device # configure terminalDevice(config)# policy-map test-avc-upDevice(config-pmap)# class cat-browsingDevice(config-pmap-c)# police 150000Device(config-pmap-c)# set dscp 12Device(config-pmap-c)#end

This example shows how to create policy maps and define existing class maps for ingress QoS:Device# configure terminalDevice(config)# policy-map test-avc-downDevice(config-pmap)# class cat-browsingDevice(config-pmap-c)# police 200000Device(config-pmap-c)# set dscp 10Device(config-pmap-c)#end

This example shows how to apply policy maps to a switch port:Device# configure terminalDevice(config)# interface GigabitEthernet 1/0/1Device(config-if)# switchport mode accessDevice(config-if)# switchport access vlan 20Device(config-if)# service-policy input POLICING_INDevice(config-if)#end

This example shows how to create class maps based on NBAR attributes.Device# configure terminalDevice(config)# class-map match-all rel-relevantDevice(config-cmap)# match protocol attribute business-relevance business-relevant

Device(config)# class-map match-all rel-irrelevantDevice(config-cmap)# match protocol attribute business-relevance business-irrelevant


Configuring Application Visibility and Control in a Wired NetworkExamples: Application Visibility and Control Configuration

Device(config)# class-map match-all rel-defaultDevice(config-cmap)# match protocol attribute business-relevance default

Device(config)# class-map match-all class--ops-admin-and-relDevice(config-cmap)# match protocol attribute traffic-class ops-admin-mgmtDevice(config-cmap)# match protocol attribute business-relevance business-relevant

This example shows how to create policy maps based on class maps based on NBAR attributes.Device# configure terminalDevice(config)# policy-map attrib--rel-typesDevice(config-pmap)# class rel-relevantDevice(config-pmap-c)# set dscp efDevice(config-pmap-c)# class rel-irrelevantDevice(config-pmap-c)# set dscp af11Device(config-pmap-c)# class rel-defaultDevice(config-pmap-c)# set dscp default

Device(config)# policy-map attrib--ops-admin-and-relDevice(config-pmap)# class class--ops-admin-and-relDevice(config-pmap-c)# set dscp cs5

This example shows how to attach a policy map based on NBAR attributes to a wired port:Device# configure terminalDevice(config)# interface GigabitEthernet1/0/2Device(config-if)# service-policy input attrib--rel-types

Show Commands for Viewing the Configuration

show ip nbar protocol-discovery

Displays a report of the Protocol Discovery statistics per interface.

The following is a sample output for the statistics per interface:Device# show ip nbar protocol-discovery int GigabitEthernet1/0/1

GigabitEthernet1/0/1Last clearing of "show ip nbar protocol-discovery" counters 00:03:16

InputOutput

-----------Protocol Packet CountPacket Count

Byte CountByte Count

30sec Bit Rate (bps)30sec Bit Rate (bps)

30sec Max Bit Rate (bps)30sec Max Bit Rate (bps)------------------------ ---------------------------------------------------------------------------ms-lync 6058055911



3117477728774864

361300093000

36130003437000Total 6058055911

3117477728774864

361300093000

36130003437000

show policy-map interface

Displays the QoS statistics and the configured policy maps on all interfaces.

The following is a sample output for the policy-maps configured on all the interfaces:Device# show policy-map int

GigabitEthernet1/0/1Service-policy input: MARKING-IN

Class-map: NBAR-VOICE (match-any)718 packetsMatch: protocol ms-lync-audio0 packets, 0 bytes30 second rate 0 bps

QoS Setdscp ef

Class-map: NBAR-MM_CONFERENCING (match-any)6451 packetsMatch: protocol ms-lync0 packets, 0 bytes30 second rate 0 bps

Match: protocol ms-lync-video0 packets, 0 bytes30 second rate 0 bps

QoS Setdscp af41

Class-map: class-default (match-any)34 packetsMatch: any

Show Commands for Viewing Attributes-based QoS Configuration

show policy-map interface

Displays the attribute-based QoS statistics and the configured policy maps on all interfaces.



The following is a sample output for the policy-maps configured on all the interfaces:Device# show policy-map interface gigabitEthernet 1/0/2GigabitEthernet1/0/2

Service-policy input: attrib--rel-types

Class-map: rel-relevant (match-all)20 packetsMatch: protocol attribute business-relevance business-relevantQoS Setdscp ef

Class-map: rel-irrelevant (match-all)0 packetsMatch: protocol attribute business-relevance business-irrelevantQoS Setdscp af11

Class-map: rel-default (match-all)14 packetsMatch: protocol attribute business-relevance defaultQoS Setdscp default

Class-map: class-default (match-any)0 packetsMatch: any

show ip nbar protocol-attribute

Displays all the protocol attributes used by NBAR.

The following shows sample output for some of the attributes:Device# show ip nbar protocol-attribute cisco-jabber-im

Protocol Name : cisco-jabber-imencrypted : encrypted-yes

tunnel : tunnel-nocategory : voice-and-video

sub-category : enterprise-media-conferencingapplication-group : cisco-jabber-group

p2p-technology : p2p-tech-notraffic-class : transactional-data

business-relevance : business-relevantapplication-set : collaboration-apps

Device# show ip nbar protocol-attribute google-servicesProtocol Name : google-services

encrypted : encrypted-yestunnel : tunnel-no

category : othersub-category : other

application-group : google-groupp2p-technology : p2p-tech-yes



traffic-class : transactional-databusiness-relevance : default

application-set : general-browsing

Device# show ip nbar protocol-attribute dnsProtocol Name : google-services

encrypted : encrypted-yestunnel : tunnel-no


application-group : google-groupp2p-technology : p2p-tech-yestraffic-class : transactional-data

business-relevance : defaultapplication-set : general-browsing

Device# show ip nbar protocol-attribute unknownProtocol Name : unknown

encrypted : encrypted-notunnel : tunnel-no


application-group : otherp2p-technology : p2p-tech-notraffic-class : bulk-data

business-relevance : defaultapplication-set : general-misc

Show Commands for Viewing Flow Monitor Configuration

show flow monitor wdavc

Displays information about the specified wired AVC flow monitor.Device # show flow monitor wdavc

Flow Monitor wdavc:Description: User definedFlow Record: wdavcFlow Exporter: wdavc-exp (inactive)Cache:Type: normal (Platform cache)Status: not allocatedSize: 12000 entriesInactive Timeout: 15 secsActive Timeout: 1800 secs

show flow monitor wdavc statistics

Displays statistics for wired AVC flow monitor.Device# show flow monitor wdavc statisticsCache type: Normal (Platform cache)Cache size: 12000Current entries: 13



Flows added: 26Flows aged: 13- Active timeout ( 1800 secs) 1- Inactive timeout ( 15 secs) 12

clear flow monitor wdavc statistics

Clears the statistics of the specified flow monitor. Use the show flow monitor wdavc statistics commandafter using the clear flow monitor wdavc statistics to verify that all the statistics have been reset. Thefollowing is a sample output of the show flow monitor wdavc statistics command after clearing flowmonitorstatistics.Device# show flow monitor wdavc statisticsCache type: Normal (Platform cache)Cache size: 12000Current entries: 0

Flows added: 0Flows aged: 0

Show Commands for Viewing Cache Contents

show flow monitor wdavc cache format table

Displays flow cache contents in a tabular format.Device# show flow monitor wdavc cache format tableCache type: Normal (Platform cache)Cache size: 12000Current entries: 13


CONN IPV4 INITIATOR ADDR CONN IPV4 RESPONDER ADDR CONN RESPONDER PORTFLOW OBSPOINT ID IP VERSION IP PROT APP NAME flowdirn ...................------------------------ ------------------------ ----------------------------------- ---------- ------- ------------------------------------64.103.125.147 144.254.71.184 53

4294967305 4 17 port dns Input....................

64.103.121.103 10.1.1.2 674294967305 4 17 layer7 dhcp Input

....contd...........64.103.125.3 64.103.125.97 68

4294967305 4 17 layer7 dhcp Input....................

10.0.2.6 157.55.40.149 4434294967305 4 6 layer7 ms-lync Input

....................64.103.126.28 66.163.36.139 443



4294967305 4 6 layer7 cisco-jabber-im Input....contd...........

64.103.125.2 64.103.125.29 684294967305 4 17 layer7 dhcp Input

....................64.103.125.97 64.103.101.181 67

4294967305 4 17 layer7 dhcp Input....................

192.168.100.6 10.10.20.1 50604294967305 4 17 layer7 cisco-jabber-control Input

....contd...........64.103.125.3 64.103.125.29 68

4294967305 4 17 layer7 dhcp Input....................

10.80.101.18 10.80.101.6 50604294967305 4 6 layer7 cisco-collab-control Input

....................10.1.11.4 66.102.11.99 80

4294967305 4 6 layer7 google-services Input....contd...........

64.103.125.2 64.103.125.97 684294967305 4 17 layer7 dhcp Input

....................64.103.125.29 64.103.101.181 67

4294967305 4 17 layer7 dhcp Input....................

show flow monitor wdavc cache format record

Displays flow cache contents in similar format as the flow record.Device# show flow monitor wdavc cache format recordCache type: Normal (Platform cache)Cache size: 12000Current entries: 13


CONNECTION IPV4 INITIATOR ADDRESS: 64.103.125.147CONNECTION IPV4 RESPONDER ADDRESS: 144.254.71.184CONNECTION RESPONDER PORT: 53FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 17APPLICATION NAME: port dnsflow direction: Inputtimestamp abs first: 08:55:46.917timestamp abs last: 08:55:46.917connection initiator: Initiatorconnection count new: 2



connection server packets counter: 1connection client packets counter: 1connection server network bytes counter: 190connection client network bytes counter: 106

CONNECTION IPV4 INITIATOR ADDRESS: 64.103.121.103CONNECTION IPV4 RESPONDER ADDRESS: 10.1.1.2CONNECTION RESPONDER PORT: 67FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 17APPLICATION NAME: layer7 dhcpflow direction: Inputtimestamp abs first: 08:55:47.917timestamp abs last: 08:55:47.917connection initiator: Initiatorconnection count new: 1connection server packets counter: 0connection client packets counter: 1connection server network bytes counter: 0connection client network bytes counter: 350


CONNECTION IPV4 INITIATOR ADDRESS: 10.0.2.6CONNECTION IPV4 RESPONDER ADDRESS: 157.55.40.149CONNECTION RESPONDER PORT: 443FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 6APPLICATION NAME: layer7 ms-lyncflow direction: Inputtimestamp abs first: 08:55:46.917timestamp abs last: 08:55:46.917connection initiator: Initiatorconnection count new: 2




CONNECTION IPV4 INITIATOR ADDRESS: 64.103.126.28CONNECTION IPV4 RESPONDER ADDRESS: 66.163.36.139CONNECTION RESPONDER PORT: 443FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 6APPLICATION NAME: layer7 cisco-jabber-imflow direction: Inputtimestamp abs first: 08:55:46.917timestamp abs last: 08:55:46.917connection initiator: Initiatorconnection count new: 2connection server packets counter: 12connection client packets counter: 10connection server network bytes counter: 5871connection client network bytes counter: 2088


CONNECTION IPV4 INITIATOR ADDRESS: 64.103.125.97CONNECTION IPV4 RESPONDER ADDRESS: 64.103.101.181CONNECTION RESPONDER PORT: 67FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 17APPLICATION NAME: layer7 dhcpflow direction: Inputtimestamp abs first: 08:55:47.917timestamp abs last: 08:55:47.917connection initiator: Initiatorconnection count new: 1




CONNECTION IPV4 INITIATOR ADDRESS: 192.168.100.6CONNECTION IPV4 RESPONDER ADDRESS: 10.10.20.1CONNECTION RESPONDER PORT: 5060FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 17APPLICATION NAME: layer7 cisco-jabber-controlflow direction: Inputtimestamp abs first: 08:55:46.917timestamp abs last: 08:55:46.917connection initiator: Initiatorconnection count new: 1connection server packets counter: 0connection client packets counter: 2connection server network bytes counter: 0connection client network bytes counter: 2046


CONNECTION IPV4 INITIATOR ADDRESS: 10.80.101.18CONNECTION IPV4 RESPONDER ADDRESS: 10.80.101.6CONNECTION RESPONDER PORT: 5060FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 6APPLICATION NAME: layer7 cisco-collab-controlflow direction: Inputtimestamp abs first: 08:55:46.917timestamp abs last: 08:55:47.917connection initiator: Initiatorconnection count new: 2




CONNECTION IPV4 INITIATOR ADDRESS: 10.1.11.4CONNECTION IPV4 RESPONDER ADDRESS: 66.102.11.99CONNECTION RESPONDER PORT: 80FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 6APPLICATION NAME: layer7 google-servicesflow direction: Inputtimestamp abs first: 08:55:46.917timestamp abs last: 08:55:46.917connection initiator: Initiatorconnection count new: 2connection server packets counter: 3connection client packets counter: 5connection server network bytes counter: 1733connection client network bytes counter: 663


CONNECTION IPV4 INITIATOR ADDRESS: 64.103.125.29CONNECTION IPV4 RESPONDER ADDRESS: 64.103.101.181CONNECTION RESPONDER PORT: 67FLOW OBSPOINT ID: 4294967305IP VERSION: 4IP PROTOCOL: 17APPLICATION NAME: layer7 dhcpflow direction: Inputtimestamp abs first: 08:55:47.917timestamp abs last: 08:55:47.917connection initiator: Initiatorconnection count new: 1




show flow monitor wdavc cache format csv

Displays flow cache contents in CSV format.Device# show flow monitor wdavc cache format csvCache type: Normal (Platform cache)Cache size: 12000Current entries: 13


CONN IPV4 INITIATOR ADDR,CONN IPV4 RESPONDER ADDR,CONN RESPONDER PORT,FLOWOBSPOINT ID,IP VERSION,IPPROT,APP NAME,flow dirn,time abs first,time abs last,conn initiator,conncount new,conn server packetscnt,conn client packets cnt,conn server network bytes cnt,conn clientnetwork bytes cnt64.103.125.147,144.254.71.184,53,4294967305,4,17,portdns,Input,08:55:46.917,08:55:46.917,Initiator,2,1,1,190,10664.103.121.103,10.1.1.2,67,4294967305,4,17,layer7dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,1,0,35064.103.125.3,64.103.125.97,68,4294967305,4,17,layer7dhcp,Input,08:55:47.917,08:55:53.917,Initiator,1,0,4,0,141210.0.2.6,157.55.40.149,443,4294967305,4,6,layer7 ms-lync,Input,08:55:46.917,08:55:46.917,Initiator,2,10,14,6490,163964.103.126.28,66.163.36.139,443,4294967305,4,6,layer7 cisco-jabber-im,Input,08:55:46.917,08:55:46.917,Initiator,2,12,10,5871,208864.103.125.2,64.103.125.29,68,4294967305,4,17,layer7dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,2,0,71264.103.125.97,64.103.101.181,67,4294967305,4,17,layer7dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,1,0,350192.168.100.6,10.10.20.1,5060,4294967305,4,17,layer7 cisco-jabber-control,Input,08:55:46.917,08:55:46.917,Initiator,1,0,2,0,204664.103.125.3,64.103.125.29,68,4294967305,4,17,layer7dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,2,0,71210.80.101.18,10.80.101.6,5060,4294967305,4,6,layer7 cisco-collab-control,Input,08:55:46.917,08:55:47.917,Initiator,2,23,27,12752,877310.1.11.4,66.102.11.99,80,4294967305,4,6,layer7 google-services,Input,08:55:46.917,08:55:46.917,Initiator,2,3,5,1733,66364.103.125.2,64.103.125.97,68,4294967305,4,17,layer7dhcp,Input,08:55:47.917,08:55:53.917,Initiator,1,0,4,0,141264.103.125.29,64.103.101.181,67,4294967305,4,17,layer7dhcp,Input,08:55:47.917,08:55:47.917,Initiator,1,0,1,0,350



Basic Troubleshooting - Questions and AnswersFollowing are the basic questions and answers for troubleshooting wired Application Visibility and Control:

1. Question: My IPv6 traffic is not being classified.

Answer: Currently only IPv4 traffic is supported.

2. Question: My multicast traffic is not being classified

Answer: Currently only unicast traffic is supported

3. Question: I send ping but I don’t see them being classified

Answer: Only TCP/UDP protocols are supported

4. Question: Why can’t I attach NBAR to an SVI?

Answer: NBAR is only supported on physical interfaces.

5. Question: I see that most of my traffic is CAPWAP traffic, why?

Answer: Make sure that you have enabled NBAR on an access port that is not connected to a wirelessaccess port. All traffic coming from AP’s will be classified as capwap. Actual classification in this casehappens either on the AP or WLC.

6. Question: In protocol-discovery, I see traffic only on one side. Along with that, there are a lot ofunknown traffic.

Answer: This usually indicates that NBAR sees asymmetric traffic: one side of the traffic is classifiedin one switch member and the other on a different member. The recommendation is to attach NBARonly on access ports where we see both sides of the traffic. If you have multiple uplinks, you can’t attachNBAR on them due to this issue. Similar issue happens if you configure NBAR on an interface that ispart of a port channel.

7. Question: With protocol-discovery, I see an aggregate view of all application. How can I see trafficdistribution over time?

Answer: WebUI will give you view of traffic over time for the last 48 hours.

8. Question: I can't configure queue-based egress policy with match protocol protocol-name command.

Answer: Only shape and set DSCP are supported in a policy with NBAR2 based classifiers. Commonpractice is to set DSCP on ingress and perform shaping on egress based on DSCP.

9. Question: I don’t have NBAR2 attached to any interface but I still see that NBAR2 is activated.

Answer: If you have any class-map with match protocol protocol-name, NBAR will be globallyactivated on the switch but no traffic will be subjected to NBAR classification. This is an expectedbehavior and it does not consume any resources.

10. Question: I see some traffic under the default QOS queue. Why?

Answer: For each new flow, it takes a few packets to classify it and install the result in the hardware.During this time, the classification would be 'un-known' and traffic will fall under the default queue.


Configuring Application Visibility and Control in a Wired NetworkBasic Troubleshooting - Questions and Answers

Additional References for Application Visibility and ControlRelated Documents




Feature History for Application Visibility and Control in a WiredNetwork

This table provides release and related information for features explained in this module.



AVC is a critical part of Cisco’s efforts to evolveits Branch and Campus solutions from being strictlypacket and connection based to beingapplication-aware and application-intelligent.


Application Visibilityand Control in a WiredNetwork


Support for defining QoS classes and policies basedon Network-Based Application Recognition(NBAR) attributes instead of specific protocols,was made available, with a few limitations. Onlybusiness-relevance and traffic-class are thesupported NBAR attributes.

Wired ApplicationVisibility and Control(Wired AVC)Attribute-based QoS(EasyQoS)


Support for DNS flow record was introduced. DNSflow record uses the DNS Domain-Name as thecollect field for defining the flow record.

DNS flow recordCisco IOS XE Gibraltar16.12.1

Support for interoperability of ApplicationVisibility and Control and Encrypted TrafficAnalytics on the same port was introduced.

Interoperability ofApplication Visibilityand Control andEncrypted TrafficAnalytics

Cisco IOS XE Amsterdam17.3.1



Configuring Application Visibility and Control in a Wired NetworkAdditional References for Application Visibility and Control



Configuring Application Visibility and Control in a Wired NetworkFeature History for Application Visibility and Control in a Wired Network

C H A P T E R 6Configuring SDM Templates

• Information About SDM Templates, on page 167• SDM Templates and Switch Stacks, on page 171• How to Configure SDM Templates, on page 172• Monitoring and Maintaining SDM Templates, on page 173• Configuration Examples for SDM Templates, on page 174• Additional References for SDM Templates, on page 176• Feature History for SDM Templates, on page 176

Information About SDM TemplatesYou can use SDM templates to configure system resources to optimize support for specific features, dependingon how your device is used in the network. You can select a standard template to provide maximum systemusage for some functions.

Cisco Catalyst 9500 Series Switches support the following standard templates:

• Core

• NAT

• Distribution

It is recommended that you reload the system as soon as you make a change to the SDM template. After youchange the template and the system reloads, you can use the show sdm prefer privileged EXEC commandto verify the new template configuration. If you enter the show sdm prefer command before you enter thereload privileged EXEC command, the show sdm prefer command shows the template currently in useand the template that will become active after a reload.

The default standard SDM template is the Core template.Note

The NAT template cannot be used to create a customizable SDM template.Note


Customizable SDM Template

Overview of Customizable SDM TemplateSwitch Device Manager (SDM) templates can be used to configure system resources and optimize supportfor specific features. However standard SDM templates are defined based on how the device is deployed inthe network.

A custom SDM template will allow you to configure the features of the template based on your requirementsand not the location of the device in the network. Starting with the Cisco IOS XE Amsterdam 17.3.1 release,you can configure a custom SDM template for Forwarding Information Base (FIB) using the sdm prefercustom fib command.

Starting with the Cisco IOS XE Bengaluru 17.4.1 release, you can configure a custom SDM template forAccess Control List (ACL) features using the sdm prefer custom acl command.

Starting with the Cisco IOS XE Bengaluru 17.5.1 release, you can configure a custom SDM template for 4kVLAN using the sdm prefer custom vlan command.

A Customizable SDM template supports the following FIB features:

• Unicast MAC addresses

• Layer 3 Unicast forwarding

• Layer 2 Multicast forwarding

• Layer 3 Multicast forwarding

• Ingress Netflow

• Egress Netflow

• SGT/DGT Index / MPLS VPN Label

A Customizable SDM template supports the following ACL features:

• Ingress Access Control List (ACL)

• Egress ACL

• Ingress Quality of Service (QoS)

• Egress QoS

• Netflow ACL

• Policy Based Routing (PBR)/ Network Address Translation (NAT)

• Locator/ID Separation Protocol (LISP)

• Tunnels

A Customizable SDM template for 4k VLAN supports only the 4K VLAN feature. You can increase the scaleof VLAN from 1k to 4k.

A Customizable SDM template for 4k VLAN increases the number of supported Switch Virtual Interfaces(SVI) to 4000.


Configuring SDM TemplatesCustomizable SDM Template

The following table shows the minimum and maximum scale values that can be configured for each of theFIB features, the step units and the default values that will be applied when no custom values are chosen fora feature.

Table 9: Scale values and Default values for FIB features

Default ValuesStep UnitsScale Values (Min-Max)Feature name

327681638432768 - 131072MAC addresses

655361638465536 - 262144Unicast routes

16384163840, 16384 - 32768Layer 2 Multicast

16384163840, 16384 - 32768Layer 3 Multicast

32768327680, 32768 - 65536SG Hash/MPLS

32768327680, 32768 - 65536Ingress Netflow

0327680, 32768 - 65536Egress NetFlow

The following table shows the minimum and maximum scale values that can be configured for each of theACL features, the step units and the default values that will be applied when no custom values are chosen fora feature.

Table 10: Scale values and Default values for ACL features

Default ValuesStep UnitsScale Values (Min-Max)Feature name

409620484096 - 26624, 27648Ingress ACL

409620484096 - 26624, 27648Egress ACL

102420481024, 2048 - 16384Ingress QoS

102420481024, 2048 - 16384Egress QoS

102410241024 - 2048Netflow ACL

102420481024, 2048 - 16384PBR/ NAT

102410241024 - 2048LISP

102410241024 - 3072Tunnels

You can determine which features are allocated the resources first by assigning them a priority using thepriority keyword.The lower the priority-value assigned to a feature the higher its priority in resource allocation.The total value that is assigned to all the features can exceed the maximum supported resource value of 416Kfor FIB features or 52 K for ACL features, where K is equal to 1024 entries. The resource allocation algorithmwill use the priority-values to determine the number of resources assigned to each feature.

Once you have configured a customized template the device will have to be reloaded for the template to takeeffect.


Configuring SDM TemplatesOverview of Customizable SDM Template

For features where the scale value can be set to zero, you need to specify the scale value as zero. If not, thedefault value will be assigned as the scale value.

Note

System resource allocation for Customizable SDM TemplateThe total number of system resources assigned to a Customizable SDM Template is 416K for FIB featuresand 52K for ACL features. If the total number of all the resources specified exceeds 416K for FIB featuresor 52K for ACL features, the system starts to lower the number of allotted resources starting with the featureassigned the highest number. A higher priority value or number assigned to a feature indicates a lower priority.

When the total number of resources assigned in the Customizable SDM Template is less than 416K for FIBfeatures or less than 52K for ACL features:

• All the features specified in the template are allotted resources as customized in the template. Any featuresnot specified in the template are allotted the default number of resources.

• If the total number of resources assigned to the FIB features multicast layer 2 and layer 3 exceeds 48K,then the scale of the multicast feature assigned the lower priority is reduced until the total number ofresources assigned is equal to 48K.

• Resources that aren't allotted won’t be distributed.

When the total number of resources assigned in the Customizable SDM Template is more than 416K for FIBfeatures and more than 52K for ACL features:

• All the features for which a custom scale isn’t specified are allotted the default values.

• If the total number of resources assigned to FIB features multicast layer 2 and layer 3 exceeds 48K, thenthe scale of the multicast feature that is assigned the lower priority is reduced until the total number ofresources assigned is less than or equal to 48K.

• The number of resources allotted to the feature with the highest priority value are decreased by the stepvalue.

• If the total number of resources still exceeds 416K for FIB features or 52K for ACL features, the resourcesallotted to the next feature with the highest priority value are decreased by the step value.

• While lowering the resources allotted to a feature, the scale is lowered only until the default value forthat feature. If further adjustment is required, the resources allotted to the next feature on the priority listare reduced.

The custom value entered by you for any feature is rounded up to the next step value. For example, if youenter a value of 40K for SGT it’s rounded up to 64K.

Note

Customizable SDM Template and High AvailabilityOn a device which supports High Availability, when a Customizable SDM Template is configured on theactive Supervisor it also takes effect on the standby Supervisor.


Configuring SDM TemplatesSystem resource allocation for Customizable SDM Template

If the standby Supervisor is configured with a different custom template than the active Supervisor, theCustomizable SDM Template of the active Supervisor is configured on the standby Supervisor duringinitialization.

Customizable SDM Template and StackWise VirtualOn a device which supports StackWise Virtual, when an SDMTemplate is configured on the active Supervisorit also takes effect on the standby chassis.

If the standby chassis is configured with a different custom template than the active Supervisor, the SDMTemplate of the active Supervisor is configured on the standby chassis during initialization. The standbychassis undergoes an extra reload for the template to take effect.

Customizable SDM Template and ISSUWhen a device undergoes an In-Service Software Upgrade (ISSU) to a higher release and there’s a change inthe resource allocation algorithm, this upgrade can result in a different scale for the same user input. Thechange in scale is detected and notified via a syslog message. The system continues to operate with the earlierscale.

You can view the change in scale by using the show sdm prefer custom scale-change command. You canapply this change in scale by using the sdm prefer custom commit command. The device has to be reloadedfor the change to take effect.

When a device with a customizable SDM template for FIB features undergoes a downgrade to a release earlierthan the Cisco IOS XE Amsterdam 17.3.1 release, you need to change the SDM template to a static SDMtemplate before the downgrade. You can change the template using the sdm prefer template name command.Reload the system for the change to take effect before proceeding with the downgrade.

When a device with a customizable SDM template for ACL features undergoes a downgrade to a releaseearlier than the Cisco IOS XE Bengaluru 17.4.1 release, you need to change the SDM template to a staticSDM template before the downgrade.

When a device has customizable SDM templates for both FIB and ACL features customized in the Cisco IOSXE Bengaluru 17.4.1 release and it downgrades to the Cisco IOS XE Amsterdam 17.3.1 release, the devicewill be restored with the customizations for the FIB features. The scale numbers for the ACL features will bealloted based on the scale values of the standard SDM template. The information about the customization ofthe ACL features will be preserved. The device will be restored with the customizations for the ACL featureswhen it upgrades to the Cisco IOS XE Bengaluru 17.4.1 release.

SDM Templates and Switch StacksIn a switch stack, all stack members must use the same SDM template that is stored on the active switch.When a new switch is added to a stack, the SDM configuration that is stored on the active switch overridesthe template configured on an individual switch.

You can use the show switch privileged EXEC command to see if any stack members are in SDM mismatchmode.


Configuring SDM TemplatesCustomizable SDM Template and StackWise Virtual

How to Configure SDM Templates

Setting the SDM TemplateFollow these steps to use the SDM template to maximize feature usage:

Procedure




Device> enable


Example:

Step 2


Specifies the SDM template to be used on theswitch. The keywords have these meanings:

sdm prefer { core | nat | distribution| custom }

Step 3

Example: • core —Sets the Core template.

Device(config)# sdm prefer distribution• nat —Maximizes the NAT configurationon the switch.

• distribution —Sets the Distributiontemplate.

• custom —Sets the Custom template forFIB, ACL features or for VLAN.Thecustom templates allow you to configurethe values of certain FIB features, ACLfeatures or the VLAN feature.

The no sdm prefer command anda default template is not supported.

Note


Example:

Step 4

Device(config)# end

Reloads the operating system.reloadStep 5

Example:


Configuring SDM TemplatesHow to Configure SDM Templates


After the system reboots, you can use the showsdm prefer privileged EXEC command toDevice# reload

verify the new template configuration. If youenter the show sdm prefer command beforeyou enter the reload privileged EXECcommand, the show sdm prefer commandshows the template currently in use and thetemplate that will become active after a reload.

Monitoring and Maintaining SDM TemplatesVerifying SDM Templates

Use the following commands to monitor and maintain SDM templates.

PurposeCommand

Displays the SDM template in use.show sdm prefer

The SDM templates contain only those commands that are defined as part of the templates. If a templateenables another related command that is not defined in the template, then this other command will be visiblewhen the show running config command is entered. For example, if the SDM template enables the switchportvoice vlan command, then the spanning-tree portfast edge command may also be enabled (although it isnot defined on the SDM template).

If the SDM template is removed, then other such related commands are also removed and have to bereconfigured explicitly.

Note

Verifying Customizable SDM Templates

Use the following commands to verify the customizable SDM Template that will be applied.

Table 11: Commands to verify the customizable SDM template

DescriptionCommand

Displays the custom values that will be applied to thefeatures in the customizable SDM template.

show sdm prefer custom

Displays the values that were entered by the user inthe customizable SDM template.

show sdm prefer custom user-input

Displays the customized SDM template that iscurrently active.

show sdm prefer

If any feature in the Customizable SDM template has been assigned a scale value of zero, the feature will notbe listed in the output of the show sdm prefer custom command after the device is reloaded.


Configuring SDM TemplatesMonitoring and Maintaining SDM Templates

Configuration Examples for SDM Templates

Examples: Displaying SDM TemplatesThe following example output shows the core template information on Cisco Catalyst 9500 Series Switches:Device# show sdm prefer coreThis is the Core template.Security Ingress IPv4 Access Control Entries*: 7168 (current) - 7168 (proposed)Security Ingress Non-IPv4 Access Control Entries*: 5120 (current) - 5120 (proposed)Security Egress IPv4 Access Control Entries*: 7168 (current) - 7168 (proposed)Security Egress Non-IPv4 Access Control Entries*: 8192 (current) - 8192 (proposed)QoS Ingress IPv4 Access Control Entries*: 4096 (current) - 4096 (proposed)QoS Ingress Non-IPv4 Access Control Entries*: 4096 (current) - 4096 (proposed)QoS Egress IPv4 Access Control Entries*: 4096 (current) - 4096 (proposed)QoS Egress Non-IPv4 Access Control Entries*: 4096 (current) - 4096 (proposed)Netflow Input Access Control Entries*: 512 (current) - 512 (proposed)Netflow Output Access Control Entries*: 512 (current) - 512 (proposed)Flow SPAN Input Access Control Entries*: 512 (current) - 512 (proposed)Flow SPAN Output Access Control Entries*: 512 (current) - 512 (proposed)Number of VLANs: 4094Unicast MAC addresses: 32768Overflow Unicast MAC addresses: 768Overflow L2 Multicast entries: 2304L3 Multicast entries: 32768Overflow L3 Multicast entries: 768Ipv4/Ipv6 shared unicast routes: 212992Overflow shared unicast routes: 1536Policy Based Routing ACEs / NAT ACEs: 3072Tunnels: 2816LISP Instance Mapping Entries: 2048Control Plane Entries: 512Input Netflow flows: 32768Output Netflow flows: 32768SGT/DGT (or) MPLS VPN entries: 32768SGT/DGT (or) MPLS VPN Overflow entries: 768Wired clients: 2048MACSec SPD Entries: 256MPLS L3 VPN VRF: 1024MPLS Labels: 45056MPLS L3 VPN Routes VRF Mode: 209920MPLS L3 VPN Routes Prefix Mode: 32768MVPN MDT Tunnels: 1024L2 VPN EOMPLS Attachment Circuit: 1024MAX VPLS Bridge Domains : 1000MAX VPLS Peers Per Bridge Domain: 128MAX VPLS/VPWS Pseudowires : 16384

Ipv4/Ipv6 Direct and Indirect unicast routes share same space* values can be modified by sdm cl

The following example output shows the NAT template information on Cisco Catalyst 9500 Series Switches:Device# show sdm prefer natThis is the NAT template.Security Ingress IPv4 Access Control Entries*: 7168 (current) - 7168 (proposed)Security Ingress Non-IPv4 Access Control Entries*: 5120 (current) - 5120 (proposed)Security Egress IPv4 Access Control Entries*: 3072 (current) - 3072 (proposed)Security Egress Non-IPv4 Access Control Entries*: 5120 (current) - 5120 (proposed)QoS Ingress IPv4 Access Control Entries*: 2560 (current) - 2560 (proposed)QoS Ingress Non-IPv4 Access Control Entries*: 1536 (current) - 1536 (proposed)


Configuring SDM TemplatesConfiguration Examples for SDM Templates

QoS Egress IPv4 Access Control Entries*: 3072 (current) - 3072 (proposed)QoS Egress Non-IPv4 Access Control Entries*: 1024 (current) - 1024 (proposed)Netflow Input Access Control Entries*: 1024 (current) - 1024 (proposed)Netflow Output Access Control Entries*: 1024 (current) - 1024 (proposed)Flow SPAN Input Access Control Entries*: 512 (current) - 512 (proposed)Flow SPAN Output Access Control Entries*: 512 (current) - 512 (proposed)Number of VLANs: 4094Unicast MAC addresses: 32768Overflow Unicast MAC addresses: 768Overflow L2 Multicast entries: 2304L3 Multicast entries: 32768Overflow L3 Multicast entries: 768Ipv4/Ipv6 shared unicast routes: 212992Overflow shared unicast routes: 1536Policy Based Routing ACEs / NAT ACEs: 15872Tunnels: 1792LISP Instance Mapping Entries: 1024Control Plane Entries: 1024Input Netflow flows: 32768Output Netflow flows: 32768SGT/DGT (or) MPLS VPN entries: 32768SGT/DGT (or) MPLS VPN Overflow entries: 768Wired clients: 2048MACSec SPD Entries: 256MPLS L3 VPN VRF: 1024MPLS Labels: 45056MPLS L3 VPN Routes VRF Mode: 209920MPLS L3 VPN Routes Prefix Mode: 32768MVPN MDT Tunnels: 1024L2 VPN EOMPLS Attachment Circuit: 1024MAX VPLS Bridge Domains : 1000MAX VPLS Peers Per Bridge Domain: 128MAX VPLS/VPWS Pseudowires : 16384

Ipv4/Ipv6 Direct and Indirect unicast routes share same space* values can be modified by sdm cli

The following example output shows the distribution template information on Cisco Catalyst 9500 SeriesSwitches:Device# show sdm prefer distributionThis is the Distribution template.Security Ingress IPv4 Access Control Entries*: 7168 (current) - 7168 (proposed)Security Ingress Non-IPv4 Access Control Entries*: 5120 (current) - 5120 (proposed)Security Egress IPv4 Access Control Entries*: 7168 (current) - 7168 (proposed)Security Egress Non-IPv4 Access Control Entries*: 8192 (current) - 8192 (proposed)QoS Ingress IPv4 Access Control Entries*: 5632 (current) - 5632 (proposed)QoS Ingress Non-IPv4 Access Control Entries*: 2560 (current) - 2560 (proposed)QoS Egress IPv4 Access Control Entries*: 6144 (current) - 6144 (proposed)QoS Egress Non-IPv4 Access Control Entries*: 2048 (current) - 2048 (proposed)Netflow Input Access Control Entries*: 1024 (current) - 1024 (proposed)Netflow Output Access Control Entries*: 1024 (current) - 1024 (proposed)Flow SPAN Input Access Control Entries*: 512 (current) - 512 (proposed)Flow SPAN Output Access Control Entries*: 512 (current) - 512 (proposed)Number of VLANs: 4094Unicast MAC addresses: 81920Overflow Unicast MAC addresses: 768Overflow L2 Multicast entries: 2304L3 Multicast entries: 16384Overflow L3 Multicast entries: 768Ipv4/Ipv6 shared unicast routes: 114688Overflow shared unicast routes: 1536Policy Based Routing ACEs / NAT ACEs: 3072Tunnels: 2816LISP Instance Mapping Entries: 1024Control Plane Entries: 1024


Configuring SDM TemplatesExamples: Displaying SDM Templates

Input Netflow flows: 49152Output Netflow flows: 49152SGT/DGT (or) MPLS VPN entries: 32768SGT/DGT (or) MPLS VPN Overflow entries: 768Wired clients: 2048MACSec SPD Entries: 256MPLS L3 VPN VRF: 1024MPLS Labels: 45056MPLS L3 VPN Routes VRF Mode: 112640MPLS L3 VPN Routes Prefix Mode: 32768MVPN MDT Tunnels: 1024L2 VPN EOMPLS Attachment Circuit: 1024MAX VPLS Bridge Domains : 1000MAX VPLS Peers Per Bridge Domain: 128MAX VPLS/VPWS Pseudowires : 16384

Ipv4/Ipv6 Direct and Indirect unicast routes share same space* values can be modified by sdm cli

Examples: Configuring SDM Templates

Device(config)# sdm prefer distributionDevice(config)# exitDevice# reloadProceed with reload? [confirm]

Additional References for SDM TemplatesRelated Documents



For complete syntax and usage information for the commands used inthis chapter.

Feature History for SDM TemplatesThis table provides release and related information for features explained in this module.



Configuring SDM TemplatesExamples: Configuring SDM Templates


Standard SDM templates can be used to configuresystem resources to optimize support for specificfeatures.


SDM TemplateCisco IOSXEEverest 16.5.1a


SDM TemplateCisco IOS XE Fuji 16.8.1a

Support for customizable SDM templates for FIBfeatures was introduced. Customizable SDMtemplates can be used to configure the features ofthe template as per the user's requirements.

Customizable SDMTemplate for FIBFeatures


Support for customizable SDM templates for ACLfeatures was introduced. Customizable SDMtemplates can be used to configure the features ofthe template as per the user's requirements.

Customizable SDMTemplate for ACLFeatures

Cisco IOS XE Bengaluru17.4.1

Support for customizable SDM templates for 4kVLAN was introduced.

Customizable SDMtemplate for 4k VLAN




Configuring SDM TemplatesFeature History for SDM Templates



Configuring SDM TemplatesFeature History for SDM Templates

C H A P T E R 7Configuring System Message Logs

• Information About Configuring System Message Logs, on page 179• How to Configure System Message Logs, on page 182• Monitoring and Maintaining System Message Logs, on page 190• Configuration Examples for System Message Logs, on page 190• Additional References for System Message Logs, on page 190• Feature History for System Message Logs, on page 190

Information About Configuring System Message Logs

System Messsage LoggingBy default, a switch sends the output from system messages and debug privileged EXEC commands to alogging process. Member switches in a stack can trigger system messages. A member switch that generatesa system message appends its hostname in the form of hostname-n, where n is a switch , and redirects theoutput to the logging process on the active switch . Though the active switch is a stack member, it does notappend its hostname to system messages. The logging process controls the distribution of logging messagesto various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on yourconfiguration. The process also sends messages to the console.

When the logging process is disabled, messages are sent only to the console. The messages are sent as theyare generated, so message and debug output are interspersed with prompts or output from other commands.Messages appear on the active consoles after the process that generated them has finished.

You can set the severity level of the messages to control the type of messages displayed on the consoles andeach of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-timedebugging and management. For information on possible messages, see the system message guide for thisrelease.

You can access logged system messages by using the switch command-line interface (CLI) or by saving themto a properly configured syslog server. The switch software saves syslog messages in an internal buffer on astandalone switch, and in the case of a switch stack, on the active switch . If a standalone switch or the activeswitch fails, the log is lost unless you had saved it to flash memory.

You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the switchthrough Telnet, through the console port, or through the Ethernet management port. In a switch stack, allmember switch consoles provide the same console output.


The syslog format is compatible with 4.3 BSD UNIX.Note

System Log Message FormatSystem log messages can contain up to 80 characters and a percent sign (%), which follows the optionalsequence number or time-stamp information, if configured. Depending on the switch, messages appear in oneof these formats:

• seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n)

• seq no:timestamp: %facility-severity-MNEMONIC:description

The part of the message preceding the percent sign depends on the setting of these global configurationcommands:

• service sequence-numbers

• service timestamps log datetime

• service timestamps log datetime [localtime] [msec] [show-timezone]

• service timestamps log uptime

Table 12: System Log Message Elements

DescriptionElement

Stamps logmessages with a sequence number only if the service sequence-numbersglobal configuration command is configured.

seq no:

Date and time of the message or event. This information appears only if the servicetimestamps log [datetime | log] global configuration command is configured.

timestamp formats:

mm/dd h h:mm:ss

or

hh:mm:ss (shortuptime)

or

d h (long uptime)

The facility to which the message refers (for example, SNMP, SYS, and so forth).facility

Single-digit code from 0 to 7 that is the severity of the message.severity

Text string that uniquely describes the message.MNEMONIC

Text string containing detailed information about the event being reported.description


Configuring System Message LogsSystem Log Message Format

Default System Message Logging SettingsTable 13: Default System Message Logging Settings


Enabled.Systemmessage logging to the console

Debugging.Console severity

No filenamespecified.

Logging file configuration

4096 bytes.Logging buffer size

1 message.Logging history size

Disabled.Time stamps

Disabled.Synchronous logging

Disabled.Logging server

None configured.Syslog server IP address

Local7Server facility

Informational.Server severity

Syslog Message LimitsIf you enabled syslog message traps to be sent to an SNMP network management station by using thesnmp-server enable trap global configuration command, you can change the level of messages sent andstored in the switch history table. You also can change the number of messages that are stored in the historytable.

Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. Bydefault, one message of the level warning and numerically lower levels are stored in the history table evenif syslog traps are not enabled.

When the history table is full (it contains the maximum number of message entries specified with the logginghistory size global configuration command), the oldest message entry is deleted from the table to allow thenew message entry to be stored.

The history table lists the level keywords and severity level. For SNMP usage, the severity level values increaseby 1. For example, emergencies equal 1, not 0, and critical equals 3, not 2.


Configuring System Message LogsDefault System Message Logging Settings

How to Configure System Message Logs

Setting the Message Display Destination DeviceIf message logging is enabled, you can send messages to specific locations in addition to the console.

This task is optional.

Procedure



Example:

Step 1


Logs messages to an internal buffer on theswitch or on a standalone switch or, in the case

logging buffered [size]

Example:

Step 2

of a switch stack, on the active switch.. The

Device(config)# logging buffered 8192range is 4096 to 2147483647 bytes. The defaultbuffer size is 4096 bytes.

If a standalone switch or the active switch fails,the log file is lost unless you previously savedit to flash memory. See Step 4.

Do not make the buffer size too largebecause the switch could run out ofmemory for other tasks. Use theshow memory privileged EXECcommand to view the free processormemory on the switch. However,this value is the maximum available,and the buffer size should not be setto this amount.

Note

Logs messages to a UNIX syslog server host.logging hostStep 3

Example: host specifies the name or IP address of the hostto be used as the syslog server.

Device(config)# logging 125.1.1.100 To build a list of syslog servers that receivelogging messages, enter this command morethan once.

Stores log messages in a file in flash memoryon a standalone switch or, in the case of aswitch stack, on the active switch .

logging file flash: filename [max-file-size[min-file-size]] [severity-level-number | type]

Example:

Step 4


Configuring System Message LogsHow to Configure System Message Logs


Device(config)# logging file• filename—Enters the log messagefilename.

flash:log_msg.txt 40960 4096 3

• (Optional) max-file-size —Specifies themaximum logging file size. The range is4096 to 2147483647. The default is 4096bytes.

• (Optional) min-file-size—Specifies theminimum logging file size. The range is1024 to 2147483647. The default is 2048bytes.

• (Optional) severity-level-number |type—Specifies either the logging severitylevel or the logging type. The severityrange is 0 to 7.


Example:

Step 5

Device(config)# end

Logsmessages to a nonconsole terminal duringthe current session.

terminal monitor

Example:

Step 6

Terminal parameter-setting commands are setlocally and do not remain in effect after theDevice# terminal monitor

session has ended. You must perform this stepfor each session to see the debugging messages.

Synchronizing Log MessagesYou can synchronize unsolicited messages and debug privileged EXEC command output with solicited deviceoutput and prompts for a specific console port line or virtual terminal line. You can identify the types ofmessages to be output asynchronously based on the level of severity. You can also configure the maximumnumber of buffers for storing asynchronous messages for the terminal after which messages are dropped.

When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited deviceoutput appears on the console or printed after solicited device output appears or is printed. Unsolicitedmessagesand debug command output appears on the console after the prompt for user input is returned. Therefore,unsolicitedmessages and debug command output are not interspersed with solicited device output and prompts.After the unsolicited messages appear, the console again displays the user prompt.



Configuring System Message LogsSynchronizing Log Messages

Procedure



Example:

Step 1


Specifies the line to be configured forsynchronous logging of messages.

line [console | vty] line-number[ending-line-number]

Step 2

Example: • console —Specifies configurations thatoccur through the switch console port orthe Ethernet management port.Device(config)# line console

• line vty line-number—Specifies which vtylines are to have synchronous loggingenabled. You use a vty connection forconfigurations that occur through a Telnetsession. The range of line numbers is from0 to 15.

You can change the setting of all 16 vty linesat once by entering:

line vty 0 15

You can also change the setting of the singlevty line being used for your current connection.For example, to change the setting for vty line2, enter:

line vty 2

When you enter this command, the modechanges to line configuration.

Enables synchronous logging of messages.logging synchronous [level [severity-level |all] | limit number-of-buffers]

Step 3

• (Optional) level severity-level—Specifiesthe message severity level. Messages withExample:a severity level equal to or higher than this

Device(config)# logging synchronous level value are printed asynchronously. Low3 limit 1000 numbers mean greater severity and high

numbers mean lesser severity. The defaultis 2.

• (Optional) level all—Specifies that allmessages are printed asynchronouslyregardless of the severity level.

• (Optional) limitnumber-of-buffers—Specifies the numberof buffers to be queued for the terminal


Configuring System Message LogsSynchronizing Log Messages


after which new messages are dropped.The range is 0 to 2147483647. The defaultis 20.


Example:

Step 4

Device(config)# end

Disabling Message LoggingMessage logging is enabled by default. It must be enabled to send messages to any destination other than theconsole.When enabled, logmessages are sent to a logging process, which logs messages to designated locationsasynchronously to the processes that generated the messages.

Disabling the logging process can slow down the switch because a process must wait until the messages arewritten to the console before continuing.When the logging process is disabled, messages appear on the consoleas soon as they are produced, often appearing in the middle of command output.

The logging synchronous global configuration command also affects the display of messages to the console.When this command is enabled, messages appear only after you press Return.

To reenable message logging after it has been disabled, use the logging on global configuration command.


Procedure



Example:

Step 1


Disables message logging.no logging console

Example:

Step 2

Device(config)# no logging console


Example:

Step 3

Device(config)# end


Configuring System Message LogsDisabling Message Logging

Enabling and Disabling Time Stamps on Log MessagesBy default, log messages are not time-stamped.


Procedure



Example:

Step 1


Enables log time stamps.Use one of these commands:Step 2

• service timestamps log uptime • log uptime—Enables time stamps on logmessages, showing the time since thesystem was rebooted.

• service timestamps log datetime[msec |localtime | show-timezone]

• log datetime—Enables time stamps on logmessages. Depending on the options

Example:Device(config)# service timestamps loguptime selected, the time stamp can include the

date, time in milliseconds relative to thelocal time zone, and the time zone name.or

Device(config)# service timestamps logdatetime


Example:

Step 3

Device(config)# end

Enabling and Disabling Sequence Numbers in Log MessagesIf there is more than one log message with the same time stamp, you can display messages with sequencenumbers to view these messages. By default, sequence numbers in log messages are not displayed.


Procedure



Example:

Step 1


Configuring System Message LogsEnabling and Disabling Time Stamps on Log Messages



Enables sequence numbers.service sequence-numbers

Example:

Step 2

Device(config)# service sequence-numbers


Example:

Step 3

Device(config)# end

Defining the Message Severity LevelLimit messages displayed to the selected device by specifying the severity level of the message.


Procedure



Example:

Step 1


Limits messages logged to the console.logging console levelStep 2

Example: By default, the console receives debuggingmessages and numerically lower levels.

Device(config)# logging console 3

Limits messages logged to the terminal lines.logging monitor levelStep 3

Example: By default, the terminal receives debuggingmessages and numerically lower levels.

Device(config)# logging monitor 3

Limits messages logged to the syslog servers.logging trap levelStep 4

Example: By default, syslog servers receive informationalmessages and numerically lower levels.

Device(config)# logging trap 3


Configuring System Message LogsDefining the Message Severity Level



Example:

Step 5

Device(config)# end

Limiting Syslog Messages Sent to the History Table and to SNMPThis task explains how to limit syslog messages that are sent to the history table and to SNMP.


Procedure



Example:

Step 1


Changes the default level of syslog messagesstored in the history file and sent to the SNMPserver.

logging history level

Example:

Device(config)# logging history 3

Step 2

By default, warnings, errors, critical, alerts,and emergencies messages are sent.

Specifies the number of syslog messages thatcan be stored in the history table.

logging history size number

Example:

Step 3

The default is to store one message. The rangeis 0 to 500 messages.Device(config)# logging history size 200


Example:

Step 4

Device(config)# end

Logging Messages to a UNIX Syslog DaemonThis task is optional.


Configuring System Message LogsLimiting Syslog Messages Sent to the History Table and to SNMP

Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.If this is the case with your system, use the UNIX man syslogd command to decide what options must beadded to or removed from the syslog command line to enable logging of remote syslog messages.

Note

Before you begin

• Log in as root.

• Before you can send system logmessages to a UNIX syslog server, youmust configure the syslog daemonon a UNIX server.

Procedure


Add a line to the file /etc/syslog.conf.Step 1 • local7—Specifies the logging facility.

Example: • debug—Specifies the syslog level. Thefile must already exist, and the syslog

local7.debug /usr/adm/logs/cisco.log daemon must have permission to write toit.

Creates the log file. The syslog daemon sendsmessages at this level or at a more severe levelto this file.

Enter these commands at the UNIX shellprompt.

Example:

Step 2

$ touch /var/log/cisco.log$ chmod 666 /var/log/cisco.log

For more information, see theman syslog.confand man syslogd commands on your UNIXsystem.

Make sure the syslog daemon reads the newchanges.

Example:

Step 3

$ kill -HUP `cat /etc/syslog.pid`


Configuring System Message LogsLogging Messages to a UNIX Syslog Daemon

Monitoring and Maintaining System Message Logs

Monitoring Configuration Archive LogsPurposeCommand

Displays the entire configuration log or the log for specifiedparameters.

show archive log config {all | number[end-number] | user username [sessionnumber] number [end-number] | statistics}[provisioning]

Configuration Examples for System Message Logs

Example: Switch System MessageThis example shows a partial switch system message on a switch:

00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed stateto down 2*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)18:47:02: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)*Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)

Additional References for System Message LogsRelated Documents




Feature History for System Message LogsThis table provides release and related information for features explained in this module.



Configuring System Message LogsMonitoring and Maintaining System Message Logs


A switch sends the output from system messagesto a logging process. The logging process controlsthe distribution of logging messages to variousdestinations, such as the logging buffer, terminallines, or a UNIX syslog server, depending on yourconfiguration


System Message LogsCisco IOSXEEverest 16.5.1a


System Message LogsCisco IOS XE Fuji 16.8.1a



Configuring System Message LogsFeature History for System Message Logs



Configuring System Message LogsFeature History for System Message Logs

C H A P T E R 8Configuring Online Diagnostics

• Information About Configuring Online Diagnostics, on page 193• How to Configure Online Diagnostics, on page 201• Monitoring and Maintaining Online Diagnostics, on page 206• Configuration Examples for Online Diagnostics, on page 207• Additional References for Online Diagnostics, on page 209• Feature Information for Configuring Online Diagnostics, on page 209

Information About Configuring Online DiagnosticsWith online diagnostics, you can test and verify the hardware functionality of a device while the device isconnected to a live network. Online diagnostics contains packet-switching tests that check different hardwarecomponents and verify the data path and control signals.

Online diagnostics detects problems in these areas:

• Hardware components

• Interfaces (Ethernet ports and so forth)

• Solder joints

Online diagnostics are categorized as on-demand, scheduled, or health-monitoring diagnostics. On-demanddiagnostics run from the CLI; scheduled diagnostics run at user-designated intervals or at specified timeswhen the device is connected to a live network; and health-monitoring runs in the background with user-definedintervals. The health-monitoring test runs every 90, 100, or 150 seconds based on the test.

After you configure online diagnostics, you can manually start diagnostic tests or display the test results. Youcan also see which tests are configured for the device or switch stack and the diagnostic tests that have alreadyrun.


Generic Online Diagnostics (GOLD) Tests

• Before you enable online diagnostics tests, enable console logging to see all the warning messages.

• While tests are running, all the ports are shut down because a stress test is being performed with loopingports internally, and external traffic might affect the test results. Reboot the switch to bring it to normaloperation. When you run the command to reload a switch, the system will ask you if the configurationshould be saved. Do not save the configuration.

• If you are running tests on other modules, after a test is initiated and complete, you must reset the module.

Note

The following sections provide information about GOLD tests.

Cisco Catalyst 9500 Series Switches

DiagGoldPktTest

This GOLD packet loopback test verifies the MAC-level loopback functionality. In this test, a GOLD packetis sent, for which Unified Access Data Plane (UADP) ASIC provides support in the hardware. The packetloops back at the MAC-level and is matched against the stored packet.

DescriptionAttribute

Nondisruptive.Disruptive or Nondisruptive

Run this on-demand test as per requirement.Recommendation

Off.Default

Cisco IOS XE Everest 16.6.1.Intitial release

–Corrective action

Supervisors and linecards.Hardware support

DiagThermalTest

This test verifies the temperature reading from a device sensor.


NondisruptiveDisruptive or Nondisruptive

Do not disable. Run this as an on-demand test, and asa health-monitoring test if the administrator is down.

Recommendation

On.Default





Configuring Online DiagnosticsGeneric Online Diagnostics (GOLD) Tests

DiagFanTest

This test verifies if all the fan modules that have been inserted are working properly on the board.



Run this as a health-monitoring test if you experiencea problem with the fan module.

Recommendation

On.Default



Supervisors.Hardware support

DiagPhyLoopbackTest

This PHY loopback test verifies the PHY-level loopback functionality. In this test, a packet, which loops backat the PHY level and is matched against the stored packet, is sent. It cannot be run as a health-monitoring test.

In certain cases when this test is run on-demand, ports are moved to the error-disabled state. In such cases,use the shut and no shut command in interface configuration mode to reenable these ports.

Note


Disruptive.Disruptive or Nondisruptive

If the link to the external connector is down, run thison-demand test to check the health of the link.

Recommendation

Off.Default




DiagScratchRegisterTest

This Scratch Register test monitors the health of ASICs by writing values into registers and reading back thevalues from these registers.






Do not disable. Run this test if the task of writingvalues to the registers fails. This can be run as ahealth-monitoring test and also as an on-demand test.

Recommendation

On.Default




DiagPoETest

This test checks the PoE controller functionality. Do not perform this test during normal switch operation.



Run this test if you experience PoE controller issueswith a port. This can be run only as an on-demandtest.

Recommendation

Off.Default



Linecards.Hardware support

DiagStackCableTest

This test verifies the stack-ring loopback functionality in the stacking environment. It cannot be run as ahealth-monitoring test.



Run this test to verify the stack-ring loopbackfunctionality in the stacking environment.

Recommendation

Off.Default


If the test fails, check the stack cables and connectors.Corrective action


DiagMemoryTest



This exhaustive ASIC memory test is run during normal switch operation. The corresponding switch utilizesmemory built-in self-test for this test. The memory test requires switch reboot after the test.


Very disruptive.Disruptive or Nondisruptive

Run this on-demand test only if you experiencememory-related problems in the system. Do not run

Recommendation

this test if you do not want to reload the Supervisorengine that is under test.

Off.Default




TestUnusedPortLoopback

This test periodically verifies the data path between the supervisor module and network ports of a moduleduring runtime to determine if any incoming network interface ports are locked. In this test, a Layer 2 packetis flooded on to the VLAN associated with the test port and the inband port of the supervisor engine. Thepacket loops back into the test port and returns to the supervisor engine on the same VLAN. This test runsonly on unused (admin down, that is, the ports are shut down) network ports irrespective of whether a cableis connected or not, and completes within a millisecond per port. This test substitutes the lack of a nondisruptiveloopback test in the current ASICs, and runs every 60 seconds.



Do not disable. This test is automatically disabledduring CPU usage spikes to maintain accuracy.

Recommendation

On.Default

Cisco IOS XE Fuji 16.9.1.Intitial release

Displays a syslog message indicating that a port hasfailed. In modules other than supervisor engines, if

Corrective action

all port groups fail (for example, at least one port perport ASIC fails more than the failure threshold for allthe port ASICs), the default action is to reset themodule and power down the module after two resets.


TestPortTxMonitoring

This test periodically monitors data-path traffic in the transmitted direction of each network port that isphysically connected to a device with status as UP. This test is completed within a millisecond per port. It



monitors the transmit counters at the ASIC level to verify that the ports are not stuck. It also displays syslogmessages, and users can take corrective actions using the Cisco IOS Embedded Event Manager (EEM).

Configure the time interval and threshold by entering the diagnostic monitor interval and diagnostic monitorthreshold commands, respectively. The test leverages the Cisco Discovery Protocol that transmits packets.The test runs every 75 seconds, and the failure threshold is set to 5 seconds by default.



Do not disable.Recommendation

On.Default


Displays a syslog message indicating that a port hasfailed.

Corrective action

All modules, including supervisor engines.Hardware support

Cisco Catalyst 9500 Series High Performance Switches

TestGoldPktLoopback

This GOLD packet loopback test verifies the MAC-level loopback functionality. In this test, a GOLD packetis sent, for which Unified Access Data Plane (UADP) ASIC provides support in the hardware. The packetloops back at the MAC-level and is matched against the stored packet.




Off.Default


Displays a syslog message if the test fails for a port.Corrective action

All modules.Hardware support

TestOBFL

This test verifies the on-board failure-logging capabilities. During this test, a diagnostic message is logged tothe Onboard Failure Logging (OBFL).




Off.Default




Cisco IOS XE Gibraltar 16.10.1.Intitial release



TestFantray

This test verifies if the fan tray has been inserted, and is working properly on the board. This test runs every100 seconds.



Do not disable. This can be run as a health-monitoringtest and also as an on-demand test.

Recommendation

On.Default


Displays a syslog message if the fan tray is not presentor any of the fans fail.

Corrective action


TestPhyLoopback

This PHY loopback test verifies the PHY-level loopback functionality. In this test, a packet, which loops backat the PHY level and is matched against the stored packet, is sent. It cannot be run as a health-monitoring test.



Run this as an on-demand test as per requirement.Recommendation

Off.Default




TestThermal

This test verifies the temperature reading from a device sensor if it is below the yellow temperature threshold.This test runs every 90 seconds.





Do not disable. Run this as an on-demand test and ahealth-monitoring test.

Recommendation

On.Default


Displays a syslog message if the test fails.Corrective action


TestScratchRegister

This Scratch Register test monitors the health of ASICs by writing values into registers and reading back thevalues from these registers. This test runs every 90 seconds.




Recommendation

On.Default




TestConsistencyCheck

This test checks if the hardware programming is correct. This test checks with the forwarding object managerto identify incomplete entries or long-pending configurations to the hardware. This test runs every 90 seconds.




Recommendation

On.Default

Cisco IOS XE Amsterdam 17.2.1.Intitial release





TestPortTxMonitoring

This test monitors the transmit counters of a connected interface. It verifies if a connected port is able to sendpackets or not. This test runs every 150 seconds.




Recommendation

On.Default

Cisco IOS XE Gibraltar 16.10.1.Intitial release



How to Configure Online DiagnosticsThe following sections provide information about the various procedures that comprise the online diagnosticsconfiguration.

Starting Online Diagnostic TestsAfter you configure diagnostic tests to run on a device, use the diagnostic start privileged EXEC commandto begin diagnostic testing.

After starting the tests, you cannot stop the testing process midway.

Use the diagnostic start switch privileged EXEC command to manually start online diagnostic testing:

Procedure


Starts the diagnostic tests.diagnostic start switch number test {name |test-id | test-id-range | all | basic | complete |minimal | non-disruptive | per-port}

Step 1

The switch number keyword is supported onlyon stacking device.

Example: You can specify the tests by using one of theseoptions:

Device# diagnostic start switch 2 testbasic

• name: Enters the name of the test.

• test-id: Enters the ID number of the test.

• test-id-range: Enters the range of test IDsby using integers separated by a commaand a hyphen.

• all: Starts all of the tests.


Configuring Online DiagnosticsHow to Configure Online Diagnostics


• basic: Starts the basic test suite.

• complete: Starts the complete test suite.

• minimal: Starts the minimal bootup testsuite.

• non-disruptive: Starts the nondisruptivetest suite.

• per-port: Starts the per-port test suite.

Configuring Online DiagnosticsYoumust configure the failure threshold and the interval between tests before enabling diagnostic monitoring.

Scheduling Online DiagnosticsYou can schedule online diagnostics to run at a designated time of day, or on a daily, weekly, or monthlybasis for a device. Use the no form of the diagnostic schedule switch command to remove the scheduling.

Procedure



Example:

Step 1

Device #configure terminal

Schedules on-demand diagnostic test for aspecific day and time.

diagnostic schedule switch number test {name| test-id | test-id-range | all | basic | complete |

Step 2

minimal | non-disruptive | per-port} {daily | The switch number keyword is supported onlyon stacking switches.on mm dd yyyy hh:mm | port inter-port-number

port-number-list |weekly day-of-week hh:mm}When specifying the test to be scheduled, usethese options:Example:

Device(config)# diagnostic schedule • name: Name of the test that appears in theshow diagnostic content command output.switch 3 test 1-5 on July 3 2013 23:10

• test-id: ID number of the test that appearsin the show diagnostic content commandoutput.

• test-id-range: ID numbers of the tests thatappear in the show diagnostic contentcommand output.

• all: All test IDs.


Configuring Online DiagnosticsConfiguring Online Diagnostics


• basic: Starts the basic on-demanddiagnostic tests.

• complete: Starts the complete test suite.

• minimal: Starts the minimal bootup testsuite.

• non-disruptive: Starts the nondisruptivetest suite.

• per-port: Starts the per-port test suite.

You can schedule the tests as follows:

• Daily: Use the daily hh:mm parameter.

• Specific day and time: Use the onmm dd yyyy hh:mm parameter.

• Weekly: Use the weekly day-of-weekhh:mm parameter.

Configuring Health-Monitoring DiagnosticsYou can configure health-monitoring diagnostic testing on a device while it is connected to a live network.You can configure the execution interval for each health-monitoring test, enable the device to generate asyslog message because of a test failure, and enable a specific test.

Use the no form of this command to disable testing.

By default, health monitoring is enabled only for a few tests, and the device generates a syslog message whena test fails.

Follow these steps to configure and enable the health-monitoring diagnostic tests:

Procedure



Example: Enter your password, if prompted.

Device> enable


Example:

Step 2



Configuring Online DiagnosticsConfiguring Health-Monitoring Diagnostics


Configures the health-monitoring interval ofthe specified test.

diagnostic monitor interval switch numbertest {name | test-id | test-id-range | all}hh:mm:ss milliseconds day

Step 3

The switch number keyword is supported onlyon stacking switches.Example:

Device(config)# diagnostic monitorWhen specifying a test, use one of theseparameters:interval switch 2 test 1 12:30:00 750

5 • name: Name of the test that appears inthe show diagnostic content commandoutput.



• all: All the diagnostic tests.

When specifying the interval, set theseparameters:

• hh:mm:ss: Monitoring interval, in hours,minutes, and seconds. The range for hhis 0 to 24, and the range for mm and ss is0 to 60.

• milliseconds: Monitoring interval, inmilliseconds (ms). The range is from 0 to999.

• day: Monitoring interval, in number ofdays. The range is from 0 to 20.

(Optional) Configures the switch to generatea syslog message when a health-monitoringtest fails.

diagnostic monitor syslog

Example:

Device(config)# diagnostic monitorsyslog

Step 4

(Optional) Sets the failure threshold for thehealth-monitoring test.

diagnostic monitor threshold switch numbernumber test {name | test-id | test-id-range |all} failure count count

Step 5

When specifying the tests, use one of theseparameters:Example:

Device(config)# diagnostic monitor• name: Name of the test that appears inthe show diagnostic content commandoutput.

threshold switch 2 test 1 failure count20







The range for the failure threshold count is 0to 99.

Enables the specified health-monitoring tests.diagnostic monitor switchnumber test {name| test-id | test-id-range | all}

Step 6

The switch number keyword is supported onlyon stacking switches.Example:

Device(config)# diagnostic monitorswitch 2 test 1

When specifying the tests, use one of theseparameters:

• name: Name of the test that appears inthe show diagnostic content commandoutput.





Example:

Step 7

Device(config)# end

(Optional) Display the online diagnostic testresults and the supported test suites.

show diagnostic { content | post | result |schedule | status | switch }

Step 8

(Optional) Verifies your entries.show running-config

Example:

Step 9




Example:

Step 10





Monitoring and Maintaining Online DiagnosticsYou can display the online diagnostic tests that are configured for a device or a device stack and check thetest results by using the privileged EXEC show commands in this table:

Table 14: Commands for Diagnostic Test Configuration and Results

PurposeCommand

Displays the online diagnostics configured for aswitch.

The switch [number | all] parameter is supportedonly on stacking switches.

show diagnostic content switch [number | all]

The below command applies to the C9500-12Q,C9500-16X, C9500-24Q, C9500-40X models of theCisco Catalyst 9500 Series Switches.

show diagnostic content

Displays the diagnostic tests that are runningcurrently. .

show diagnostic status

Displays the online diagnostics test results.


show diagnostic result switch [number | all] [detail| test {name | test-id | test-id-range | all} [detail]]

Displays the online diagnostics test results.


show diagnostic switch [number | all] [detail]


show diagnostic detail]

Displays the online diagnostics test schedule.


show diagnostic schedule [number | all]

Displays the POST results. (The output is the sameas the show post command output.)

show diagnostic post


show post

Displays diagnostic events such as error, information,or warning based on the test result.

show diagnostic events {event-type | module}


Configuring Online DiagnosticsMonitoring and Maintaining Online Diagnostics

PurposeCommand

Displays the short description of the results from anindividual test or all the tests.

show diagnostic description module [number] test{ name | test-id | all }

Configuration Examples for Online DiagnosticsThe following sections provide examples of online diagnostics configurations.

Examples: Start Diagnostic TestsThis example shows how to start a diagnostic test by using the test name:

Device#diagnostic start switch 2 test DiagFanTest

This example shows how to start all of the basic diagnostic tests:

Device# diagnostic start switch 1 test all

Example: Configure a Health-Monitoring Test

This example shows how to configure a health-monitoring test:

Device(config)# diagnostic monitor threshold switch 1 test 1 failure count 50Device(config)# diagnostic monitor interval switch 1 test TestPortAsicStackPortLoopback

Example: Schedule Diagnostic TestThis example shows how to schedule diagnostic testing for a specific day and time on a specific switch:Device(config)# diagnostic schedule test DiagThermalTest on June 3 2013 22:25

This example shows how to schedule diagnostic testing to occur weekly at a certain time on a specific switch:Device(config)# diagnostic schedule switch 1 test 1,2,4-6 weekly saturday 10:30

Example: Displaying Online DiagnosticsThis example shows how to display on-demand diagnostic settings:Device# show diagnostic ondemand settings

Test iterations = 1Action on test failure = continue


Configuring Online DiagnosticsConfiguration Examples for Online Diagnostics

This example shows how to display diagnostic events for errors:

Device# show diagnostic events event-type error

Diagnostic events (storage for 500 events, 0 events recorded)Number of events matching above criteria = 0

No diagnostic log entry exists.

This example shows how to display the description for a diagnostic test:

Device# show diagnostic description switch 1 test all

DiagGoldPktTest :The GOLD packet Loopback test verifies the MAC level loopbackfunctionality. In this test, a GOLD packet, for which dopplerprovides the support in hardware, is sent. The packet loops backat MAC level and is matched against the stored packet. It is a non-disruptive test.

DiagThermalTest :This test verifies the temperature reading from the sensor is below the yellowtemperature threshold. It is a non-disruptive test and can be run as a health

monitoring test.

DiagFanTest :This test verifies all fan modules have been inserted and working properly on the

boardIt is a non-disruptive test and can be run as a health monitoring test.

DiagPhyLoopbackTest :The PHY Loopback test verifies the PHY level loopbackfunctionality. In this test, a packet is sent which loops backat PHY level and is matched against the stored packet. It is adisruptive test and cannot be run as a health monitoring test.

DiagScratchRegisterTest :The Scratch Register test monitors the health of application-specificintegrated circuits (ASICs) by writing values into registers and readingback the values from these registers. It is a non-disruptive test and canbe run as a health monitoring test.

DiagPoETest :This test checks the PoE controller functionality. This is a disruptive testand should not be performed during normal switch operation.

DiagStackCableTest :This test verifies the stack ring loopback functionalityin the stacking environment. It is a disruptive test andcannot be run as a health monitoring test.

DiagMemoryTest :This test runs the exhaustive ASIC memory test during normal switch operationNG3K utilizes mbist for this test. Memory test is very disruptivein nature and requires switch reboot after the test.

Device#

The below example is not applicable to the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of theCisco Catalyst 9500 Series Switches. This example shows how to display the boot up level:


Configuring Online DiagnosticsExample: Displaying Online Diagnostics

Device# show diagnostic bootup level

Current bootup diagnostic level: minimal

Device#

Additional References for Online DiagnosticsRelated Documents




Feature Information for Configuring Online DiagnosticsThis table provides release and related information for features explained in this module.



With online diagnostics, you can test and verify thehardware functionality of the device while thedevice is connected to a live network.


Online DiagnosticsCisco IOSXEEverest 16.5.1a


Online DiagnosticsCisco IOS XE Fuji 16.8.1a



Configuring Online DiagnosticsAdditional References for Online Diagnostics



Configuring Online DiagnosticsFeature Information for Configuring Online Diagnostics

C H A P T E R 9Managing Configuration Files

• Prerequisites for Managing Configuration Files, on page 211• Restrictions for Managing Configuration Files, on page 211• Information About Managing Configuration Files, on page 211• How to Manage Configuration File Information, on page 218• Feature History for Managing Configuration Files, on page 245

Prerequisites for Managing Configuration Files• You should have at least a basic familiarity with the Cisco IOS environment and the command-lineinterface.

• You should have at least a minimal configuration running on your system. You can create a basicconfiguration file using the setup command.

Restrictions for Managing Configuration Files• Many of the Cisco IOS commands described in this document are available and function only in certainconfiguration modes on the device.

• Some of the Cisco IOS configuration commands are only available on certain device platforms, and thecommand syntax may vary on different platforms.

Information About Managing Configuration Files

Types of Configuration FilesConfiguration files contain the Cisco IOS software commands used to customize the functionality of yourCisco device. Commands are parsed (translated and executed) by the Cisco IOS software when the system isbooted (from the startup-config file) or when you enter commands at the CLI in a configuration mode.

Startup configuration files (startup-config) are used during system startup to configure the software. Runningconfiguration files (running-config) contain the current configuration of the software. The two configuration


files can be different. For example, you may want to change the configuration for a short time period ratherthan permanently. In this case, you would change the running configuration using the configure terminalEXEC command but not save the configuration using the copy running-config startup-config EXECcommand.

To change the running configuration, use the configure terminal command, as described in the Modifyingthe Configuration File, on page 219 section. As you use the Cisco IOS configuration modes, commandsgenerally are executed immediately and are saved to the running configuration file either immediately afteryou enter them or when you exit a configuration mode.

To change the startup configuration file, you can either save the running configuration file to the startupconfiguration using the copy running-config startup-config EXEC command or copy a configuration filefrom a file server to the startup configuration (see the Copying a Configuration File from a TFTP Server tothe Device section for more information).

Configuration Mode and Selecting a Configuration SourceTo enter configuration mode on the device, enter the configure command at the privileged EXEC prompt.The Cisco IOS software responds with the following prompt asking you to specify the terminal, memory, ora file stored on a network server (network) as the source of configuration commands:

Configuring from terminal, memory, or network [terminal]?

Configuring from the terminal allows you to enter configuration commands at the command line, as describedin the following section. See the Re-executing the Configuration Commands in the Startup Configuration Filesection for more information.

Configuring from the network allows you to load and execute configuration commands over the network. Seethe Copying a Configuration File from a TFTP Server to the Device section for more information.

Configuration File Changes Using the CLIThe Cisco IOS software accepts one configuration command per line. You can enter as many configurationcommands as you want. You can add comments to a configuration file describing the commands you haveentered. Precede a comment with an exclamation point (!). Because comments are not stored in NVRAM orin the active copy of the configuration file, comments do not appear when you list the active configurationwith the show running-config or more system:running-config EXEC command. Comments are notdisplayed when you list the startup configuration with the show startup-config or morenvram:startup-config EXEC mode command. Comments are stripped out of the configuration file when itis loaded onto the device. However, you can list the comments in configuration files stored on a File TransferProtocol (FTP), Remote Copy Protocol (RCP), or Trivial File Transfer Protocol (TFTP) server. When youconfigure the software using the CLI, the software executes the commands as you enter them.

Location of Configuration FilesConfiguration files are stored in the following locations:

• The running configuration is stored in RAM.

• On all platforms except the Class A Flash file system platforms, the startup configuration is stored innonvolatile random-access memory (NVRAM).


Managing Configuration FilesConfiguration Mode and Selecting a Configuration Source

• On Class A Flash file system platforms, the startup configuration is stored in the location specified bythe CONFIG_FILE environment variable (see the Specifying the CONFIG_FILE Environment Variableon Class A Flash File Systems , on page 240 section). The CONFIG_FILE variable defaults to NVRAMand can be a file in the following file systems:

• nvram: (NVRAM)

• flash: (internal flash memory)

• usbflash0: (external usbflash file system)

• usbflash1: (external usbflash file system)

Copy Configuration Files from a Network Server to the DeviceYou can copy configuration files from a TFTP, rcp, or FTP server to the running configuration or startupconfiguration of the device. You may want to perform this function for one of the following reasons:

• To restore a backed-up configuration file.

• To use the configuration file for another device. For example, youmay add another device to your networkand want it to have a similar configuration to the original device. By copying the file to the new device,you can change the relevant parts rather than recreating the whole file.

• To load the same configuration commands on to all of the devices in your network so that all of thedevices have similar configurations.

The copy{ftp: | rcp: | tftp:system:running-config} EXEC command loads the configuration files into thedevice as if you were typing the commands on the command line. The device does not erase the existingrunning configuration before adding the commands. If a command in the copied configuration file replacesa command in the existing configuration file, the existing command is erased. For example, if the copiedconfiguration file contains a different IP address in a particular command than the existing configuration, theIP address in the copied configuration is used. However, some commands in the existing configuration maynot be replaced or negated. In this case, the resulting configuration file is a mixture of the existing configurationfile and the copied configuration file, with the copied configuration file having precedence.

To restore a configuration file to an exact copy of a file stored on a server, you need to copy the configurationfile directly to the startup configuration (using the copy ftp:| rcp:| tftp:} nvram:startup-config command)and reload the device.

To copy configuration files from a server to a device, perform the tasks described in the following sections.

The protocol that you use depends onwhich type of server you are using. The FTP and rcp transport mechanismsprovide faster performance and more reliable delivery of data than TFTP. These improvements are possiblebecause the FTP and rcp transport mechanisms are built on and use the TCP/IP stack, which isconnection-oriented.

Copying a Configuration File from the Device to a TFTP ServerIn some implementations of TFTP, you must create a dummy file on the TFTP server and give it read, write,and execute permissions before copying a file over it. Refer to your TFTP documentation for more information.


Managing Configuration FilesCopy Configuration Files from a Network Server to the Device

Copying a Configuration File from the Device to an RCP ServerYou can copy a configuration file from the device to an RCP server.

One of the first attempts to use the network as a resource in the UNIX community resulted in the design andimplementation of the remote shell protocol, which included the remote shell (rsh) and remote copy (rcp)functions. Rsh and rcp give users the ability to execute commands remotely and copy files to and from a filesystem residing on a remote host or server on the network. The Cisco implementation of rsh and rcpinteroperates with standard implementations.

The rcp copy commands rely on the rsh server (or daemon) on the remote system. To copy files using rcp,you need not create a server for file distribution, as you do with TFTP. You need only to have access to aserver that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a filefrom one place to another, you must have read permission on the source file and write permission on thedestination file. If the destination file does not exist, rcp creates it for you.

Although the Cisco rcp implementation emulates the functions of the UNIX rcp implementation—copyingfiles among systems on the network—the Cisco command syntax differs from the UNIX rcp command syntax.The Cisco rcp support offers a set of copy commands that use rcp as the transport mechanism. These rcp copycommands are similar in style to the Cisco TFTP copy commands, but they offer an alternative that providesfaster performance and reliable delivery of data. These improvements are possible because the rcp transportmechanism is built on and uses the TCP/IP stack, which is connection-oriented. You can use rcp commandsto copy system images and configuration files from the device to a network server and vice versa.

You also can enable rcp support to allow users on remote systems to copy files to and from the device.

To configure the Cisco IOS software to allow remote users to copy files to and from the device, use the iprcmd rcp-enable global configuration command.

Restrictions

The RCP protocol requires a client to send a remote username on each RCP request to a server. When youcopy a configuration file from the device to a server using RCP, the Cisco IOS software sends the first validusername it encounters in the following sequence:

1. The username specified in the copy EXEC command, if a username is specified.

2. The username set by the ip rcmd remote-username global configuration command, if the commandis configured.

3. The remote username associatedwith the current tty (terminal) process. For example, if the user is connectedto the device through Telnet and was authenticated through the username command, the device softwaresends the Telnet username as the remote username.

4. The device host name.

For the RCP copy request to execute successfully, an account must be defined on the network server for theremote username. If the server has a directory structure, the configuration file or image is written to or copiedfrom the directory associated with the remote username on the server. For example, if the system image residesin the home directory of a user on the server, you can specify that user name as the remote username.

Use the ip rcmd remote-username command to specify a username for all copies. (Rcmd is a UNIX routineused at the super-user level to execute commands on a remote machine using an authentication scheme basedon reserved port numbers. Rcmd stands for “remote command”). Include the username in the copy commandif you want to specify a username for that copy operation only.


Managing Configuration FilesCopying a Configuration File from the Device to an RCP Server

If you are writing to the server, the RCP server must be properly configured to accept the RCP write requestfrom the user on the device. For UNIX systems, you must add an entry to the .rhosts file for the remote useron the RCP server. For example, suppose the device contains the following configuration lines:

hostname Device1ip rcmd remote-username User0

If the device IP address translates to device1.example.com, then the .rhosts file for User0 on the RCP servershould contain the following line:

Device1.example.com Device1

Requirements for the RCP Username

The RCP protocol requires a client to send a remote username on each RCP request to a server. When youcopy a configuration file from the device to a server using RCP, the Cisco IOS software sends the first validusername it encounters in the following sequence:


2. The username set by the ip rcmd remote-username global configuration command, if the commandis configured.

3. The remote username associatedwith the current tty (terminal) process. For example, if the user is connectedto the device through Telnet and is authenticated through the username command, the device softwaresends the Telnet username as the remote username.

4. The device host name.

For the RCP copy request to execute, an account must be defined on the network server for the remoteusername. If the server has a directory structure, the configuration file or image is written to or copied fromthe directory associated with the remote username on the server. For example, if the system image resides inthe home directory of a user on the server, specify that user name as the remote username.

Refer to the documentation for your RCP server for more information.

Copying a Configuration File from the Device to an FTP ServerYou can copy a configuration file from the device to an FTP server.

Understanding the FTP Username and Password

The password must not contain the special character '@'. If the character '@' is used, the copy fails to parsethe IP address of the server.

Note

The FTP protocol requires a client to send a remote username and password on each FTP request to a server.When you copy a configuration file from the device to a server using FTP, the Cisco IOS software sends thefirst valid username it encounters in the following sequence:


2. The username set by the ip ftp username global configuration command, if the command is configured.


Managing Configuration FilesRequirements for the RCP Username

3. Anonymous.

The device sends the first valid password it encounters in the following sequence:

1. The password specified in the copy command, if a password is specified.

2. The password set by the ip ftp password command, if the command is configured.

3. The device forms a password username @devicename.domain . The variable username is the usernameassociated with the current session, devicename is the configured host name, and domain is the domainof the device.

The username and password must be associated with an account on the FTP server. If you are writing to theserver, the FTP server must be properly configured to accept the FTP write request from the user on the device.

If the server has a directory structure, the configuration file or image is written to or copied from the directoryassociated with the username on the server. For example, if the system image resides in the home directoryof a user on the server, specify that user name as the remote username.

Refer to the documentation for your FTP server for more information.

Use the ip ftp username and ip ftp password global configuration commands to specify a username andpassword for all copies. Include the username in the copy EXEC command if you want to specify a usernamefor that copy operation only.

Copying files through a VRFYou can copy files through a VRF interface specified in the copy command. Specifying the VRF in the copycommand is easier and more efficient as you can directly change the source interface without using a changerequest for the configuration.

Example

The following example shows how to copy files through a VRF, using the copy command:Device# copy scp: flash-1: vrf test-vrfAddress or name of remote host [10.1.2.3]?Source username [ScpUser]?Source filename [/auto/tftp-server/ScpUser/vrf_test.txt]?Destination filename [vrf_test.txt]?Getting the vrf name as test-vrfPassword:Sending file modes: C0644 10 vrf_test.txt!223 bytes copied in 22.740 secs (10 bytes/sec)

Copy Configuration Files from a Switch to Another SwitchYou can copy the configurations from one switch to another. This is a 2-step process - Copy the configurationsfrom the switch to the TFTP server, and then from TFTP to another switch.

To copy your current configurations from the switch, run the command copy startup-config tftp: and followthe instructions. The configurations are copied onto the TFTP server.

Then, login to another switch and run the command copy tftp: startup-config and follow the instructions.The configurations are now copied onto the other switch.


Managing Configuration FilesCopying files through a VRF

After the configurations are copied, to save your configurations, usewrite memory command and then eitherreload the switch or run the copy startup-config running-config command

Configuration Files Larger than NVRAMTo maintain a configuration file that exceeds the size of NVRAM, you should be aware of the information inthe following sections.

Compressing the Configuration File

The service compress-config global configuration command specifies that the configuration file be storedcompressed in NVRAM. Once the configuration file has been compressed, the device functions normally.When the system is booted, it recognizes that the configuration file is compressed, expands it, and proceedsnormally. The more nvram:startup-config EXEC command expands the configuration before displayingit.

Before you compress configuration files, refer to the appropriate hardware installation and maintenancepublication. Verify that your system’s ROMs support file compression. If not, you can install new ROMs thatsupport file compression.

The size of the configuration must not exceed three times the NVRAM size. For a 128-KB size NVRAM, thelargest expanded configuration file size is 384 KB.

The service compress-config global configuration command works only if you have Cisco IOS softwareRelease 10.0 or later release boot ROMs. Installing new ROMs is a one-time operation and is necessary onlyif you do not already have Cisco IOS Release 10.0 in ROM. If the boot ROMs do not recognize a compressedconfiguration, the following message is displayed:

Boot ROMs do not support NVRAM compression Config NOT written to NVRAM

Storing the Configuration in Flash Memory on Class A Flash File Systems

On class A Flash file system devices, you can store the startup configuration in flash memory by setting theCONFIG_FILE environment variable to a file in internal flash memory or flash memory in a PCMCIA slot.

See the Specifying the CONFIG_FILE Environment Variable on Class A Flash File Systems , on page 240section for more information.

Care must be taken when editing or changing a large configuration. Flash memory space is used every timea copy system:running-config nvram:startup-config EXEC command is issued. Because file managementfor flash memory (such as optimizing free space) is not done automatically, you must pay close attention toavailable flash memory. Use the squeeze command to reclaim used space. We recommend that you use alarge-capacity Flash card of at least 20 MB.

Loading the Configuration Commands from the Network

You can also store large configurations on FTP, RCP, or TFTP servers and download them at system startup.To use a network server to store large configurations, see the Copying a Configuration File from the Deviceto a TFTP Server , on page 220 and Configuring the Device to Download Configuration Files, on page 217sections for more information on these commands.

Configuring the Device to Download Configuration FilesYou can configure the device to load one or two configuration files at system startup. The configuration filesare loaded into memory and read in as if you were typing the commands at the command line. Thus, the


Managing Configuration FilesConfiguration Files Larger than NVRAM

configuration for the device is a mixture of the original startup configuration and the one or two downloadedconfiguration files.

Network Versus Host Configuration Files

For historical reasons, the first file the device downloads is called the network configuration file. The secondfile the device downloads is called the host configuration file. Two configuration files can be used when allof the devices on a network use many of the same commands. The network configuration file contains thestandard commands used to configure all of the devices. The host configuration files contain the commandsspecific to one particular host. If you are loading two configuration files, the host configuration file shouldbe the configuration file you want to have precedence over the other file. Both the network and hostconfiguration files must reside on a network server reachable via TFTP, RCP, or FTP, and must be readable.

How to Manage Configuration File Information

Displaying Configuration File InformationTo display information about configuration files, complete the tasks in this section:

Procedure




Device> enable

Lists the contents of the BOOT environmentvariable (if set), the name of the configuration

show boot

Example:

Step 2

file pointed to by the CONFIG_FILE

Device# show bootenvironment variable, and the contents of theBOOTLDR environment variable.

Displays the contents of a specified file.more file-url

Example:

Step 3

Device# more 10.1.1.1

Displays the contents of the runningconfiguration file. (Command alias for themoresystem:running-config command.)

show running-config

Example:


Step 4

Displays the contents of the startupconfiguration file. (Command alias for themorenvram:startup-config command.)

show startup-config

Example:

Device# show startup-config

Step 5


Managing Configuration FilesNetwork Versus Host Configuration Files


On all platforms except the Class A Flash filesystem platforms, the default startup-config fileusually is stored in NVRAM.

On the Class A Flash file system platforms, theCONFIG_FILE environment variable points tothe default startup-config file.

The CONFIG_FILE variable defaults toNVRAM.

Modifying the Configuration FileThe Cisco IOS software accepts one configuration command per line. You can enter as many configurationcommands as you want. You can add comments to a configuration file describing the commands you haveentered. Precede a comment with an exclamation point (!). Because comments are not stored in NVRAM orin the active copy of the configuration file, comments do not appear when you list the active configurationwith the show running-config ormore system:running-config EXEC commands. Comments do not displaywhen you list the startup configuration with the show startup-config or more nvram:startup-config EXECmode commands. Comments are stripped out of the configuration file when it is loaded onto the device.However, you can list the comments in configuration files stored on a File Transfer Protocol (FTP), RemoteCopy Protocol (RCP), or Trivial File Transfer Protocol (TFTP) server. When you configure the software usingthe CLI, the software executes the commands as you enter them. To configure the software using the CLI,use the following commands in privileged EXEC mode:

Procedure




Device> enable


Example:

Step 2


Enter the necessary configuration commands.The Cisco IOS documentation set describes

configuration command

Example:

Step 3

configuration commands organized bytechnology.

Device(config)# configuration command

Ends the configuration session and exits toEXEC mode.

Do one of the following:Step 4

• endWhen you press the Ctrl and Z keyssimultaneously, ^Z is displayed tothe screen.

Note• ^Z

Example:


Managing Configuration FilesModifying the Configuration File


Device(config)# end

Saves the running configuration file as thestartup configuration file.

copy system:running-confignvram:startup-config

Step 5

Example: You may also use the copy running-configstartup-config command alias, but you should

Device# copy system:running-confignvram:startup-config

be aware that this command is less precise. Onmost platforms, this command saves theconfiguration to NVRAM.On the Class A Flashfile system platforms, this step saves theconfiguration to the location specified by theCONFIG_FILE environment variable (thedefault CONFIG_FILE variable specifies thatthe file should be saved to NVRAM).

Examples

In the following example, the device prompt name of the device is configured. The comment line,indicated by the exclamation mark (!), does not execute any command. The hostname command isused to change the device name from device to new_name. By pressing Ctrl-Z (^Z) or entering theend command, the user quits configuration mode. The copy system:running-confignvram:startup-config command saves the current configuration to the startup configuration.

Device# configure terminalDevice(config)# !The following command provides the switch host name.Device(config)# hostname new_namenew_name(config)# endnew_name# copy system:running-config nvram:startup-config

When the startup configuration is NVRAM, it stores the current configuration information in textformat as configuration commands, recording only non-default settings. Thememory is checksummedto guard against corrupted data.

Some specific commands might not get saved to NVRAM. You need to enter these commands againif you reboot the machine. These commands are noted in the documentation. We recommend thatyou keep a list of these settings so that you can quickly reconfigure your device after rebooting.

Note

Copying a Configuration File from the Device to a TFTP ServerTo copy configuration information on a TFTP network server, complete the tasks in this section:


Managing Configuration FilesCopying a Configuration File from the Device to a TFTP Server

Procedure




Device> enable

Copies the running configuration file to a TFTPserver.

copy system:running-config tftp: [[[//location]/directory ]/filename ]

Example:

Step 2

Device# copy system:running-config tftp://server1/topdir/file10

Copies the startup configuration file to a TFTPserver.

copy nvram:startup-config tftp: [[[//location]/directory ]/filename ]

Example:

Step 3

Device# copy nvram:startup-config tftp://server1/1stdir/file10

Examples

The following example copies a configuration file from a device to a TFTP server:

Device# copy system:running-config tftp://172.16.2.155/tokyo-confgWrite file tokyo-confg on host 172.16.2.155? [confirm] YWriting tokyo-confg!!! [OK]

What to Do NextAfter you have issued the copy command, you may be prompted for additional information or for confirmationof the action. The prompt displayed depends on how much information you provide in the copy commandand the current setting of the file prompt global configuration command.

Copying a Configuration File from the Device to an RCP ServerTo copy a startup configuration file or a running configuration file from the device to an RCP server, use thefollowing commands beginning in privileged EXEC mode:

Procedure





Managing Configuration FilesWhat to Do Next


Device> enable


Example:

Step 2


(Optional) Changes the default remoteusername.

ip rcmd remote-username username

Example:

Step 3

Device(config)# ip rcmd remote-usernameNetAdmin1

(Optional) Exits global configuration mode.end

Example:

Step 4

Device(config)# end

Do one of the following:Step 5 • Specifies that the device runningconfiguration file is to be stored on an RCPserver• copy system:running-config rcp:

[[[//[username@]location ]/directory]/filename ] or

• copy nvram:startup-config rcp:[[[//[username@]location ]/directory]/filename ]

• Specifies that the device startupconfiguration file is to be stored on an RCPserver

Example:

Device# copy system:running-config rcp://[email protected]/dir-files/file1

Examples

Storing a Running Configuration File on an RCP Server

The following example copies the running configuration file named runfile2-confg to the netadmin1 directoryon the remote host with an IP address of 172.16.101.101:

Device# copy system:running-config rcp://[email protected]/runfile2-confgWrite file runfile2-confg on host 172.16.101.101?[confirm]Building configuration...[OK]Connected to 172.16.101.101Device#

Storing a Startup Configuration File on an RCP Server

The following example shows how to store a startup configuration file on a server by using RCP to copy thefile:


Managing Configuration FilesExamples


Device(config)# ip rcmd remote-username netadmin2

Device(config)# end

Device# copy nvram:startup-config rcp:

Remote host[]? 172.16.101.101

Name of configuration file to write [start-confg]?Write file start-confg on host 172.16.101.101?[confirm]![OK]

What to Do NextAfter you have issued the copy EXEC command, you may be prompted for additional information or forconfirmation of the action. The prompt displayed depends on how much information you provide in the copycommand and the current setting of the file prompt global configuration command.

Copying a Configuration File from the Device to the FTP ServerTo copy a startup configuration file or a running configuration file from the device to an FTP server, completethe following tasks:

Procedure




Device> enable

Enters global configurationmode on the device.configure terminal

Example:

Step 2


(Optional) Specifies the default remoteusername.

ip ftp username username

Example:

Step 3

Device(config)# ip ftp username NetAdmin1

(Optional) Specifies the default password.ip ftp password password

Example:

Step 4

Device(config)# ip ftp passwordadminpassword

(Optional) Exits global configuration mode.This step is required only if you override the

end

Example:

Step 5




default remote username or password (see Steps2 and 3).Device(config)# end

Copies the running configuration or startupconfiguration file to the specified location onthe FTP server.


• copy system:running-config ftp:[[[//[username [:password]@]location]/directory ]/filename ] or

• copy nvram:startup-config ftp:[[[//[username [:password]@]location]/directory ]/filename ]

Example:

Device# copy system:running-config ftp:

Examples

Storing a Running Configuration File on an FTP Server

The following example copies the running configuration file named runfile-confg to the netadmin1 directoryon the remote host with an IP address of 172.16.101.101:

Device# copy system:running-config ftp://netadmin1:[email protected]/runfile-confgWrite file runfile-confg on host 172.16.101.101?[confirm]Building configuration...[OK]Connected to 172.16.101.101Device#

Storing a Startup Configuration File on an FTP Server

The following example shows how to store a startup configuration file on a server by using FTP to copy thefile:


Device(config)# ip ftp username netadmin2

Device(config)# ip ftp password mypass

Device(config)# end

Device# copy nvram:startup-config ftp:

Remote host[]? 172.16.101.101

Name of configuration file to write [start-confg]?Write file start-confg on host 172.16.101.101?[confirm]![OK]




Copying a Configuration File from a TFTP Server to the DeviceTo copy a configuration file from a TFTP server to the device, complete the tasks in this section:

Procedure




Device> enable

Copies a configuration file from a TFTP serverto the running configuration.

copy tftp: [[[//location]/directory]/filename]system:running-config

Example:

Step 2

Device# copytftp://server1/dir10/datasourcesystem:running-config

Copies a configuration file from a TFTP serverto the startup configuration.

copy tftp: [[[//location]/directory]/filename]nvram:startup-config

Example:

Step 3

Device# copytftp://server1/dir10/datasourcenvram:startup-config

Copies a configuration file from a TFTP serverto the startup configuration.

copy tftp:[[[//location]/directory]/filename]flash-[n]:/directory/startup-config

Example:

Step 4

Device# copytftp://server1/dir10/datasourceflash:startup-config

Examples

In the following example, the software is configured from the file named tokyo-confg at IPaddress 172.16.2.155:

Device# copy tftp://172.16.2.155/tokyo-confg system:running-config



Configure using tokyo-confg from 172.16.2.155? [confirm] Y

Booting tokyo-confg from 172.16.2.155:!!! [OK - 874/16000 bytes]


Copying a Configuration File from the rcp Server to the DeviceTo copy a configuration file from an rcp server to the running configuration or startup configuration, completethe following tasks:

Procedure




Device> enable

(Optional) Enters configuration mode from theterminal. This step is required only if you

configure terminal

Example:

Step 2

override the default remote username (see Step3).


(Optional) Specifies the remote username.ip rcmd remote-username username

Example:

Step 3

Device(config)# ip rcmd remote-usernameNetAdmin1

(Optional) Exits global configuration mode.This step is required only if you override thedefault remote username (see Step 2).

end

Example:

Device(config)# end

Step 4

Copies the configuration file from an rcp serverto the running configuration or startupconfiguration.


• copyrcp:[[[//[username@]location]/directory]/filename]system:running-config

• copyrcp:[[[//[username@]location]/directory]/filename]nvram:startup-config

Example:

Device# copy



PurposeCommand or Actionrcp://[[email protected]/dir10/fileone]nvram:startup-config

Examples

Copy RCP Running-Config

The following example copies a configuration file named host1-confg from the netadmin1 directory on theremote server with an IP address of 172.16.101.101, and loads and runs the commands on the device:

device# copy rcp://[email protected]/host1-confg system:running-configConfigure using host1-confg from 172.16.101.101? [confirm]Connected to 172.16.101.101Loading 1112 byte file host1-confg:![OK]device#%SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101

Copy RCP Startup-Config

The following example specifies a remote username of netadmin1. Then it copies the configuration file namedhost2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to thestartup configuration.

device# configure terminaldevice(config)# ip rcmd remote-username netadmin1device(config)# enddevice# copy rcp: nvram:startup-configAddress of remote host [255.255.255.255]? 172.16.101.101Name of configuration file[rtr2-confg]? host2-confgConfigure using host2-confg from 172.16.101.101?[confirm]Connected to 172.16.101.101Loading 1112 byte file host2-confg:![OK][OK]device#%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by rcp from 172.16.101.101


Copying a Configuration File from an FTP Server to the DeviceTo copy a configuration file from an FTP server to the running configuration or startup configuration, completethe tasks in this section:

Procedure







Device> enable

(Optional) Allows you to enter globalconfiguration mode. This step is required only

configure terminal

Example:

Step 2

if you want to override the default remoteusername or password (see Steps 3 and 4).


(Optional) Specifies the default remoteusername.

ip ftp username username

Example:

Step 3

Device(config)# ip ftp username NetAdmin1

(Optional) Specifies the default password.ip ftp password password

Example:

Step 4


(Optional) Exits global configuration mode.This step is required only if you override the

end

Example:

Step 5

default remote username or password (see Steps3 and 4).

Device(config)# end

Using FTP copies the configuration file from anetwork server to runningmemory or the startupconfiguration.


• copy ftp:[[[//[username[:password]@]location]/directory]/filename]system:running-config

• copy ftp: [[[//[username[:password]@]location]/directory]/filename]nvram:startup-config

Example:

Device# copy ftp:nvram:startup-config

Examples

Copy FTP Running-Config

The following example copies a host configuration file named host1-confg from the netadmin1 directory onthe remote server with an IP address of 172.16.101.101, and loads and runs the commands on the device:

device# copy ftp://netadmin1:[email protected]/host1-confg system:running-configConfigure using host1-confg from 172.16.101.101? [confirm]Connected to 172.16.101.101Loading 1112 byte file host1-confg:![OK]



device#%SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101

Copy FTP Startup-Config

The following example specifies a remote username of netadmin1. Then it copies the configuration file namedhost2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to thestartup configuration:

device# configure terminaldevice(config)# ip ftp username netadmin1device(config)# ip ftp password mypassdevice(config)# enddevice# copy ftp: nvram:startup-configAddress of remote host [255.255.255.255]? 172.16.101.101Name of configuration file[host1-confg]? host2-confgConfigure using host2-confg from 172.16.101.101?[confirm]Connected to 172.16.101.101Loading 1112 byte file host2-confg:![OK][OK]device#%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by ftp from 172.16.101.101


Maintaining Configuration Files Larger than NVRAMTomaintain a configuration file that exceeds the size of NVRAM, perform the tasks described in the followingsections:

Compressing the Configuration FileTo compress configuration files, complete the tasks in this section:

Procedure




Device> enable


Example:

Step 2



Managing Configuration FilesCopy FTP Startup-Config


Specifies that the configuration file becompressed.

service compress-config

Example:

Step 3

Device(config)# service compress-config

Exits global configuration mode.end

Example:

Step 4

Device(config)# end

Enters the new configuration:Do one of the following:Step 5

• Use FTP, RCP, or TFTP to copy the newconfiguration.

• If you try to load a configuration that ismore than three times larger than theNVRAMsize, the following error messageis displayed:

• configure terminal

Example:

Device# configure terminal“[buffer overflow - file-size /buffer-size bytes].”

When you have finished changing therunning-configuration, save the newconfiguration.


Example:

Step 6

Device(config)# copysystem:running-confignvram:startup-config

Examples

The following example compresses a 129-KB configuration file to 11 KB:


Device(config)# service compress-config

Device(config)# end

Device# copy tftp://172.16.2.15/tokyo-confg system:running-config

Configure using tokyo-confg from 172.16.2.155? [confirm] y

Booting tokyo-confg from 172.16.2.155:!!! [OK - 874/16000 bytes]Device# copy system:running-config nvram:startup-config

Building configuration...Compressing configuration from 129648 bytes to 11077 bytes[OK]


Managing Configuration FilesCompressing the Configuration File

Storing the Configuration in Flash Memory on Class A Flash File SystemsTo store the startup configuration in flash memory, complete the tasks in this section:

Procedure




Device> enable

Copies the current startup configuration to thenew location to create the configuration file.

copy nvram:startup-configflash-filesystem:filename

Example:

Step 2

Device# copy nvram:startup-configusbflash0:switch-config


Example:

Step 3


Specifies that the startup configuration file bestored in flash memory by setting theCONFIG_FILE variable.

boot config flash-filesystem: filename

Example:

Device(config)# boot configusbflash0:switch-config

Step 4


Example:

Step 5

Device(config)# end

Enters the new configuration.Do one of the following:Step 6

• Use FTP, RCP, or TFTP to copy the newconfiguration. If you try to load aconfiguration that is more than three timeslarger than the NVRAM size, thefollowing error message is displayed:“[buffer overflow - file-size /buffer-sizebytes]. ”

• configure terminal

Example:



Managing Configuration FilesStoring the Configuration in Flash Memory on Class A Flash File Systems


When you have finished changing therunning-configuration, save the newconfiguration.


Example:

Step 7

Device(config)# copysystem:running-confignvram:startup-config

Examples

The following example stores the configuration file in usbflash0:

Device# copy nvram:startup-config usbflash0:switch-config


Device(config)# boot config usbflash0:switch-config

Device(config)# end

Device# copy system:running-config nvram:startup-config

Loading the Configuration Commands from the NetworkTo use a network server to store large configurations, complete the tasks in this section:

Procedure




Device> enable

Saves the running configuration to an FTP,RCP, or TFTP server.

copy system:running-config {ftp: | rcp: |tftp:}

Example:

Step 2

Device# copy system:running-config ftp:


Example:

Step 3


Specifies that the startup configuration file beloaded from the network server at startup.

boot network {ftp:[[[//[username [:password]@]location ]/directory ]/filename ] |rcp:[[[//[username@]location ]/directory

Step 4


Managing Configuration FilesLoading the Configuration Commands from the Network


]/filename ] | tftp:[[[//location ]/directory]/filename ]}

Example:

Device(config)# boot networkftp://user1:[email protected]/dir10/file1

Enables the switch to download configurationfiles at system startup.

service config

Example:

Step 5

Device(config)# service config


Example:

Step 6

Device(config)# end

Saves the configuration.copy system:running-confignvram:startup-config

Step 7

Example:


Copying Configuration Files from Flash Memory to the Startup or RunningConfiguration

To copy a configuration file from flash memory directly to your startup configuration in NVRAM or yourrunning configuration, enter one of the commands in Step 2:

Procedure




Device> enable

Do one of the following:Step 2 • Loads a configuration file directly intoNVRAM or• copy filesystem:

[partition-number:][filename ]nvram:startup-config

• Copies a configuration file to your runningconfiguration

• copy filesystem:[partition-number:][filename ]system:running-config


Managing Configuration FilesCopying Configuration Files from Flash Memory to the Startup or Running Configuration


Example:

Device# copy usbflash0:4:ios-upgrade-1nvram:startup-config

Examples

The following example copies the file named ios-upgrade-1 from partition 4 of the flash memoryPC Card in usbflash0 to the device startup configurations:

Device# copy usbflash0:4:ios-upgrade-1 nvram:startup-config

Copy 'ios-upgrade-1' from flash device as 'startup-config' ? [yes/no] yes

[OK]

Copying Configuration Files Between Flash Memory File SystemsOn platforms with multiple flash memory file systems, you can copy files from one flash memory file system,such as internal flash memory to another flash memory file system. Copying files to different flash memoryfile systems lets you create backup copies of working configurations and duplicate configurations for otherdevices. To copy a configuration file between flash memory file systems, use the following commands inEXEC mode:

Procedure




Device> enable

Displays the layout and contents of flashmemory to verify the filename.

show source-filesystem:

Example:

Step 2

Device# show flash:

Copies a configuration file between flashmemory devices.

copy source-filesystem:[partition-number:][filename ]dest-filesystem:[partition-number:][filename ]

Step 3

• The source device and the destinationdevice cannot be the same. For example,Example:the copy usbflash0: usbflash0:command is invalid.Device# copy flash: usbflash0:


Managing Configuration FilesCopying Configuration Files Between Flash Memory File Systems

Example

The following example copies the file named running-config from partition 1 on internal flashmemoryto partition 1 of usbflash0 on a device. In this example, the source partition is not specified, so thedevice prompts for the partition number:

Device# copy flash: usbflash0:

System flashPartition Size Used Free Bank-Size State Copy Mode1 4096K 3070K 1025K 4096K Read/Write Direct2 16384K 1671K 14712K 8192K Read/Write Direct

[Type ?<no> for partition directory; ? for full directory; q to abort]Which partition? [default = 1]System flash directory, partition 1:File Length Name/status1 3142748 dirt/network/mars-test/c3600-j-mz.latest2 850 running-config

[3143728 bytes used, 1050576 available, 4194304 total]usbflash0 flash directory:File Length Name/status1 1711088 dirt/gate/c3600-i-mz2 850 running-config

[1712068 bytes used, 2482236 available, 4194304 total]Source file name? running-config

Destination file name [running-config]?Verifying checksum for 'running-config' (file # 2)... OKErase flash device before writing? [confirm]Flash contains files. Are you sure you want to erase? [confirm]Copy 'running-config' from flash: deviceas 'running-config' into usbflash0: device WITH erase? [yes/no] yes

Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased!

[OK - 850/4194304 bytes]Flash device copy took 00:00:30 [hh:mm:ss]Verifying checksum... OK (0x16)

Copying a Configuration File from an FTP Server to Flash Memory DevicesTo copy a configuration file from an FTP server to a flash memory device, complete the task in this section:

Procedure




Device> enable

(Optional) Enters global configuration mode.This step is required only if you override the

configure terminal

Example:

Step 2

default remote username or password (see Steps3 and 4).


Managing Configuration FilesCopying a Configuration File from an FTP Server to Flash Memory Devices



(Optional) Specifies the remote username.ip ftp username username

Example:

Step 3

Device(config)# ip ftp username Admin01

(Optional) Specifies the remote password.ip ftp password password

Example:

Step 4


(Optional) Exits configuration mode. This stepis required only if you override the defaultremote username (see Steps 3 and 4).

end

Example:

Device(config)# end

Step 5

Copies the configuration file from a networkserver to the flash memory device using FTP.

copy ftp: [[//location]/directory ]/bundle_nameflash:

Example:

Step 6

Device>copyftp:/cat9k_iosxe.16.11.01.SPA.bin flash:


Copying a Configuration File from an RCP Server to Flash Memory DevicesTo copy a configuration file from an RCP server to a flash memory device, complete the tasks in this section:

Procedure




Device> enable

(Optional) Enters global configuration mode.This step is required only if you override the

configure terminal

Example:

Step 2




default remote username or password (see Step3).Device# configure terminal

(Optional) Specifies the remote username.ip rcmd remote-username username

Example:

Step 3

Device(config)# ip rcmd remote-usernameAdmin01

(Optional) Exits configuration mode. This stepis required only if you override the defaultremote username or password (see Step 3).

end

Example:

Device(config)# end

Step 4

Copies the configuration file from a networkserver to the flash memory device using RCP.

copy rcp: [[[//[username@]location ]/directory]/bundle_name] flash:

Step 5

Respond to any device prompts for additionalExample: information or confirmation. Prompting depends

Device# copyon how much information you provide in thecopy command and the current setting of thefile prompt command.

rcp://[email protected]/bundle1flash:

Copying a Configuration File from a TFTP Server to Flash Memory DevicesTo copy a configuration file from a TFTP server to a flash memory device, complete the tasks in this section:

Procedure




Device> enable

Copies the file from a TFTP server to the flashmemory device. Reply to any device prompts

copy tftp: [[[//location ]/directory]/bundle_name flash:

Step 2

for additional information or confirmation.Example: Prompting depends on how much information

Device#you provide in the copy command and thecurrent setting of the file prompt command.copy

tftp:/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.binflash:

Examples

The following example shows the copying of the configuration file named switch-config from aTFTP server to the flash memory card inserted in usbflash0. The copied file is renamed new-config.


Managing Configuration FilesCopying a Configuration File from a TFTP Server to Flash Memory Devices

Device#copy tftp:switch-config usbflash0:new-config

Re-executing the Configuration Commands in the Startup Configuration FileTo re-execute the commands located in the startup configuration file, complete the task in this section:

Procedure




Device> enable

Re-executes the configuration commandslocated in the startup configuration file.

configure memory

Example:

Step 2

Device# configure memory

Clearing the Startup ConfigurationYou can clear the configuration information from the startup configuration. If you reboot the device with nostartup configuration, the device enters the Setup command facility so that you can configure the device fromscratch. To clear the contents of your startup configuration, complete the task in this section:

Procedure




Device> enable

Clears the contents of your startupconfiguration.

erase nvram

Example:

Step 2


Managing Configuration FilesRe-executing the Configuration Commands in the Startup Configuration File


Device# erase nvramFor all platforms except the Class AFlash file system platforms, thiscommand erases NVRAM. Thestartup configuration file cannot berestored once it has been deleted. OnClass A Flash file system platforms,when you use the erasestartup-configEXEC command, thedevice erases or deletes theconfiguration pointed to by theCONFIG_FILE environmentvariable. If this variable points toNVRAM, the device erasesNVRAM. If the CONFIG_FILEenvironment variable specifies aflash memory device andconfiguration filename, the devicedeletes the configuration file. Thatis, the device marks the file as“deleted,” rather than erasing it. Thisfeature allows you to recover adeleted file.

Note

Deleting a Specified Configuration FileTo delete a specified configuration on a specific flash device, complete the task in this section:

Procedure




Device> enable

Deletes the specified configuration file on thespecified flash device.

delete flash-filesystem:filename

Example:

Step 2


Managing Configuration FilesDeleting a Specified Configuration File


Device# delete usbflash0:myconfigOnClass A and B Flash file systems,when you delete a specific file inflash memory, the system marks thefile as deleted, allowing you to laterrecover a deleted file using theundelete EXEC command. Erasedfiles cannot be recovered. Topermanently erase the configurationfile, use the squeeze EXECcommand. On Class C Flash filesystems, you cannot recover a filethat has been deleted. If you attemptto erase or delete the configurationfile specified by the CONFIG_FILEenvironment variable, the systemprompts you to confirm the deletion.

Note

Specifying the CONFIG_FILE Environment Variable on Class A Flash FileSystems

On Class A flash file systems, you can configure the Cisco IOS software to load the startup configuration filespecified by the CONFIG_FILE environment variable. The CONFIG_FILE variable defaults to NVRAM.To change the CONFIG_FILE environment variable, complete the tasks in this section:

Procedure




Device> enable

Copies the configuration file to the flash filesystem from which the device loads the file onrestart.

copy [flash-url | ftp-url | rcp-url | tftp-url |system:running-config |nvram:startup-config] dest-flash-url

Example:

Step 2



Example:

Step 3



Managing Configuration FilesSpecifying the CONFIG_FILE Environment Variable on Class A Flash File Systems


Sets the CONFIG_FILE environment variable.This step modifies the runtime CONFIG_FILEenvironment variable.

boot config dest-flash-url

Example:

Device(config)# boot config 172.16.1.1

Step 4


Example:

Step 5

Device(config)# end

Saves the configuration performed in Step 3 tothe startup configuration.


Example:

Step 6


(Optional) Allows you to verify the contents ofthe CONFIG_FILE environment variable.

show boot

Example:

Step 7

Device# show boot

Examples

The following example copies the running configuration file to the device. This configuration is thenused as the startup configuration when the system is restarted:

Device# copy system:running-config usbflash0:config2Device# configure terminalDevice(config)# boot config usbflash0:config2Device(config)# endDevice# copy system:running-config nvram:startup-config[ok]Device# show bootBOOT variable = usbflash0:rsp-boot-mCONFIG_FILE variable = nvram:Current CONFIG_FILE variable = usbflash0:config2Configuration register is 0x010F

What to Do NextAfter you specify a location for the startup configuration file, the nvram:startup-config command is aliasedto the new location of the startup configuration file. The more nvram:startup-config EXEC commanddisplays the startup configuration, regardless of its location. The erase nvram:startup-configEXEC commanderases the contents of NVRAM and deletes the file pointed to by the CONFIG_FILE environment variable.

When you save the configuration using the copy system:running-config nvram:startup-config command,the device saves a complete version of the configuration file to the location specified by the CONFIG_FILEenvironment variable and a distilled version to NVRAM. A distilled version is one that does not contain access



list information. If NVRAM contains a complete configuration file, the device prompts you to confirm youroverwrite of the complete version with the distilled version. If NVRAM contains a distilled configuration,the device does not prompt you for confirmation and proceeds with overwriting the existing distilledconfiguration file in NVRAM.

If you specify a file in a flash device as the CONFIG_FILE environment variable, every time you save yourconfiguration file with the copy system:running-config nvram:startup-config command, the oldconfiguration file is marked as “deleted,” and the new configuration file is saved to that device. Eventually,Flash memory fills up as the old configuration files still take up memory. Use the squeeze EXEC commandto permanently delete the old configuration files and reclaim the space.

Note

Configuring the Device to Download Configuration FilesYou can specify an ordered list of network configuration and host configuration filenames. The Cisco IOSXE software scans this list until it loads the appropriate network or host configuration file.

To configure the device to download configuration files at system startup, perform at least one of the tasksdescribed in the following sections:

• Configuring the Device to Download the Network Configuration File

• Configuring the Device to Download the Host Configuration File

If the device fails to load a configuration file during startup, it tries again every 10 minutes (the default setting)until a host provides the requested files. With each failed attempt, the device displays the following messageon the console terminal:

Booting host-confg... [timed out]

If there are any problems with the startup configuration file, or if the configuration register is set to ignoreNVRAM, the device enters the Setup command facility.

Configuring the Device to Download the Network Configuration FileTo configure the Cisco IOS software to download a network configuration file from a server at startup,complete the tasks in this section:

Procedure




Device> enable


Example:

Step 2


Managing Configuration FilesConfiguring the Device to Download Configuration Files



Specifies the network configuration file todownload at startup, and the protocol to be used(TFTP, RCP, or FTP).

boot network {ftp:[[[//[username [:password]@]location ]/directory ]/filename ] |rcp:[[[//[username@]location ]/directory

Step 3

]/filename ] | tftp:[[[//location ]/directory]/filename ]} • If you do not specify a network

configuration filename, the Cisco IOSExample: software uses the default filename

network-confg. If you omit the address,the device uses the broadcast address.Device(config)# boot network

tftp:hostfile1• You can specify more than one networkconfiguration file. The software tries themin order entered until it loads one. Thisprocedure can be useful for keeping fileswith different configuration informationloaded on a network server.

Enables the system to automatically load thenetwork file on restart.

service config

Example:

Step 4



Example:

Step 5

Device(config)# end

Saves the running configuration to the startupconfiguration file.


Example:

Step 6


Configuring the Device to Download the Host Configuration FileTo configure the Cisco IOS software to download a host configuration file from a server at startup, completethe tasks in this section:

Procedure




Device> enable


Managing Configuration FilesConfiguring the Device to Download the Host Configuration File



Example:

Step 2


Specifies the host configuration file to downloadat startup, and the protocol to be used (FTP,RCP, or TFTP):

boot host {ftp:[[[//[username [:password]@]location ]/directory ]/filename ] |rcp:[[[//[username@]location ]/directory

Step 3

]/filename ] | tftp:[[[//location ]/directory]/filename ] } • If you do not specify a host configuration

filename, the device uses its own name toExample: form a host configuration filename by

converting the name to all lowercaseDevice(config)# boot host tftp:hostfile1 letters, removing all domain information,

and appending “-confg.” If no host nameinformation is available, the software usesthe default host configuration filenamedevice-confg. If you omit the address, thedevice uses the broadcast address.

• You can specify more than one hostconfiguration file. The Cisco IOS softwaretries them in order entered until it loadsone. This procedure can be useful forkeeping files with different configurationinformation loaded on a network server.

Enables the system to automatically load thehost file upon restart.

service config

Example:

Step 4



Example:

Step 5

Device(config)# end

Saves the running configuration to the startupconfiguration file.


Example:

Step 6



Managing Configuration FilesConfiguring the Device to Download the Host Configuration File

Example

In the following example, a device is configured to download the host configuration file namedhostfile1 and the network configuration file named networkfile1. The device uses TFTP and thebroadcast address to obtain the file:

Device# configure terminalDevice(config)# boot host tftp:hostfile1Device(config)# boot network tftp:networkfile1Device(config)# service configDevice(config)# endDevice# copy system:running-config nvram:startup-config

Feature History for Managing Configuration FilesThis table provides release and related information for features explained in this module.



Configuration files contain the Cisco IOS softwarecommands used to customize the functionality ofyour Cisco device. Commands are parsed(translated and executed) by the Cisco IOS softwarewhen the system is booted (from the startup-configfile) or when you enter commands at the CLI in aconfiguration mode.


Managing ConfigurationFiles



Managing ConfigurationFiles




Managing Configuration FilesFeature History for Managing Configuration Files



Managing Configuration FilesFeature History for Managing Configuration Files

C H A P T E R 10Secure Copy

This document provides the procedure to configure a Cisco device for Secure Copy (SCP) server-sidefunctionality.

• Prerequisites for Secure Copy, on page 247• Information About Secure Copy, on page 247• How to Configure Secure Copy, on page 248• Configuration Examples for Secure Copy, on page 251• Additional References for Secure Copy, on page 252• Feature Information for Secure Copy, on page 252

Prerequisites for Secure Copy• Configure Secure Shell (SSH), authentication, and authorization on the device.

• Because the Secure Copy Protocol (SCP) relies on SSH for its secure transport, the device must have aRivest, Shamir, and Adelman (RSA) key pair.

Information About Secure CopyThe Secure Copy feature provides a secure and authenticated method for copying switch configurations orswitch image files. The Secure Copy Protocol (SCP) relies on Secure Shell (SSH), an application and a protocolthat provides a secure replacement for the Berkeley r-tools.

The behavior of SCP is similar to that of Remote Copy Protocol (RCP), which comes from the Berkeleyr-tools suite (Berkeley university’s own set of networking applications), except that SCP relies on SSH forsecurity. In addition, SCP requires authentication, authorization, and accounting (AAA) to be configured toensure that the device can determine whether a user has the correct privilege level.

SCP allows only users with a privilege level of 15 to copy a file in the Cisco IOS File System (Cisco IFS) toand from a device by using the copy command. An authorized administrator can also perform this action froma workstation.


• Enable the SCP option while using the pscp.exe file.

• An RSA public-private key pair must be configured on the device for SSH to work.

Note

Secure Copy Performance ImprovementsSSH bulk data transfer mode can be used to enhance the throughput performance of SCP that is operating inthe capacity of a client or a server. This mode is disabled by default, but can be enabled by using the ip sshbulk-mode global configuration command. TCP selective acknowledgement (SACK) is enabled by defaultif the bulk mode window size is configured.

We recommend that you enable this command only for transferring large files, and disable it after the filetransfer is complete.

Note

The default bulk mode window size of 128 KB is optimal to copy large files in most network settings. However,in long big networks where the round-trip time (RTT) is high, 128 KB is not enough. You can enable the mostoptimal SCP throughput performance by configuring the bulk mode window size using the ip ssh bulk-modewindow-size command. For example, in an ideal lab testing environment, a window size of 2 MB in a200-milliseconds round-trip time setting can give around 500 percent improved throughput performance whencompared to the default 128-KB window size.

The bulk mode window size must be configured as per the network bandwidth-delay product, that is, a multipleof total available bandwidth in bits per second and the round-trip time in seconds. Because the CPU usagemay increase with the increased window size, make sure to balance this by choosing the right window size.

How to Configure Secure CopyThe following sections provide information about the Secure Copy configuration tasks.

Configuring Secure CopyTo configure a Cisco device for SCP server-side functionality, perform the following steps.

Procedure




Device> enable


Example:

Step 2


Secure CopySecure Copy Performance Improvements



Sets AAA authentication at login.aaa new-model

Example:

Step 3

Device(config)# aaa new-model

Enables the AAA access control system.aaa authentication login {default | list-name}method1 [ method2... ]

Step 4

Example:

Device(config)# aaa authentication logindefault group tacacs+

Establishes a username-based authenticationsystem.

username name [privilege level] passwordencryption-type encrypted-password

Step 5

Example: You can omit this step if anetwork-based authenticationmechanism, such as TACACS+ orRADIUS, has been configured.

Note

Device(config)# username superuserprivilege 2 password 0 superpassword

Enables SCP server-side functionality.ip scp server enable

Example:

Step 6

Device(config)# ip scp server enable

Exits global configuration mode and returns toprivileged EXEC mode.

exit

Example:

Step 7


(Optional) Troubleshoots SCP authenticationproblems.

debug ip scp

Example:

Step 8

Device# debug ip scp

Enabling Secure Copy on the SSH ServerThe following task shows how to configure the server-side functionality for SCP. This task shows a typicalconfiguration that allows a device to securely copy files from a remote workstation.

Procedure




Secure CopyEnabling Secure Copy on the SSH Server



Device> enable


Example:

Step 2


Enables the Authentication, Authorization, andAccounting (AAA) access control model.

aaa new-model

Example:

Step 3

Device(config)# aaa new-model

Sets AAA authentication to use the localusername database for authentication at login.

aaa authentication login default local

Example:

Step 4

Device(config)# aaa authentication logindefault local

Sets the parameters that restrict user access toa network, runs the authorization to determine

aaa authorization exec default local

Example:

Step 5

if the user ID is allowed to run an privileged

Device(config)# aaa authorization execdefault local

EXEC shell, and specifies that the systemmustuse the local database for authorization.

Establishes a username-based authenticationsystem, and specifies the username, privilegelevel, and an unencrypted password.

username name privilege privilege-levelpassword password

Example:

Step 6

The minimum required value forthe privilege-level argument is 15.A privilege level of less than 15results in the connection closing.

NoteDevice(config)# username samplenameprivilege 15 password password1

Sets the time interval (in seconds) that thedevice waits for the SSH client to respond.

ip ssh time-out seconds

Example:

Step 7

Device(config)# ip ssh time-out 120

Sets the number of authentication attemptsafter which the interface is reset.

ip ssh authentication-retries integer

Example:

Step 8

Device(config)# ip sshauthentication-retries 3

Enables the device to securely copy files froma remote workstation.

ip scp server enable

Example:

Step 9


Secure CopyEnabling Secure Copy on the SSH Server


Device(config)# ip scp server enable

(Optional) Enables SSH bulk data transfermode to enhance the throughput performanceof SCP.

ip ssh bulk-mode window-size

Example:

Device(config)# ip ssh bulk-mode33107232

Step 10


exit

Example:

Step 11


(Optional) Provides diagnostic informationabout SCP authentication problems.

debug ip scp

Example:

Step 12

Device# debug ip scp

Configuration Examples for Secure CopyThe following are examples of the Secure Copy configuration.

Example: Secure Copy Configuration Using Local AuthenticationThe following example shows how to configure the server-side functionality of Secure Copy. This exampleuses a locally defined username and password.

! AAA authentication and authorization must be configured properly in order for SCP to work.Device> enableDevice# configure terminalDevice(config)# aaa new-modelDevice(config)# aaa authentication login default localDevice(config)# aaa authorization exec default localDevice(config)# username user1 privilege 15 password 0 lab! SSH must be configured and functioning properly.Device(config)# ip scp server enableDevice(config)# end

Example: Secure Copy Server-Side Configuration Using Network-BasedAuthentication

The following example shows how to configure the server-side functionality of Secure Copy using anetwork-based authentication mechanism:

! AAA authentication and authorization must be configured properly for SCP to work.


Secure CopyConfiguration Examples for Secure Copy

Device> enableDevice# configure terminalDevice(config)# aaa new-modelDevice(config)# aaa authentication login default group tacacs+Device(config)# aaa authorization exec default group tacacs+! SSH must be configured and functioning properly.Device(config)# ip ssh time-out 120Device(config)# ip ssh authentication-retries 3Device(config)# ip scp server enableDevice(config)# end

Additional References for Secure CopyRelated Documents


Configuring Secure ShellSecure Shell Version 1 and 2 support

Technical Assistance

LinkDescription

http://www.cisco.com/cisco/web/support/index.htmlTheCisco Support andDocumentationwebsite providesonline resources to download documentation, software,and tools. Use these resources to install and configurethe software and to troubleshoot and resolve technicalissues with Cisco products and technologies. Access tomost tools on the Cisco Support and Documentationwebsite requires a Cisco.com user ID and password.

Feature Information for Secure CopyThis table provides release and related information for features explained in this module.



Secure CopyAdditional References for Secure Copy

http://www.cisco.com/cisco/web/support/index.html


The Secure Copy feature provides a secure andauthenticated method for copying deviceconfigurations or device image files. SCP relies onSSH, an application and protocol that provide asecure replacement for the Berkeley r-tools suite.

The following commands were introduced ormodified: debug ip scp and ip scp server enanle.


Secure CopyCisco IOSXEEverest 16.5.1a


Secure CopyCisco IOS XE Fuji 16.8.1a

SSH bulk mode enables certain optimizations toenhance the throughput performance of proceduresinvolving large amount of data transfer. This modecan be enabled by using the ip ssh bulk-modeglobal configuration command.

Secure CopyPerformanceImprovements


Secure copy in large RTT settings can beconfigured by using thewindow-size variable optionof the ip ssh bulk-mode command.

Secure CopyImprovement in LargeRTT Scenario




Secure CopyFeature Information for Secure Copy



Secure CopyFeature Information for Secure Copy

C H A P T E R 11Configuration Replace and ConfigurationRollback

• Prerequisites for Configuration Replace and Configuration Rollback, on page 255• Restrictions for Configuration Replace and Configuration Rollback, on page 256• Information About Configuration Replace and Configuration Rollback, on page 256• How to Use Configuration Replace and Configuration Rollback, on page 259• Configuration Examples for Configuration Replace and Configuration Rollback, on page 265• Additional References for Configuration Replace and Configuration Rollback, on page 267• Feature History for Configuration Replace and Configuration Rollback, on page 268

Prerequisites for Configuration Replace and ConfigurationRollback

The format of the configuration files used as input by the Configuration Replace and Configuration Rollbackfeature must comply with standard Cisco software configuration file indentation rules as follows:

• Start all commands on a new line with no indentation, unless the command is within a configurationsubmode.

• Indent commands within a first-level configuration submode one space.

• Indent commands within a second-level configuration submode two spaces.

• Indent commands within subsequent submodes accordingly.

These indentation rules describe how the software creates configuration files for such commands as showrunning-config or copy running-config destination-url. Any configuration file generated on a Cisco devicecomplies with these rules.

Free memory larger than the combined size of the two configuration files (the current running configurationand the saved replacement configuration) is required.


Restrictions for Configuration Replace and ConfigurationRollback

If the device does not have free memory larger than the combined size of the two configuration files (thecurrent running configuration and the saved replacement configuration), the configuration replace operationis not performed.

Certain Cisco configuration commands such as those pertaining to physical components of a networkingdevice (for example, physical interfaces) cannot be added or removed from the running configuration. Forexample, a configuration replace operation cannot remove the interface ethernet 0 command line from thecurrent running configuration if that interface is physically present on the device. Similarly, the interfaceethernet 1 command line cannot be added to the running configuration if no such interface is physicallypresent on the device. A configuration replace operation that attempts to perform these types of changes resultsin error messages indicating that these specific command lines failed.

In very rare cases, certain Cisco configuration commands cannot be removed from the running configurationwithout reloading the device. A configuration replace operation that attempts to remove this type of commandresults in error messages indicating that these specific command lines failed.

Information About Configuration Replace and ConfigurationRollback

Configuration ArchiveThe Cisco IOS configuration archive is intended to provide a mechanism to store, organize, and manage anarchive of Cisco IOS configuration files to enhance the configuration rollback capability provided by theconfigure replace command. Before this feature was introduced, you could save copies of the runningconfiguration using the copy running-config destination-url command, storing the replacement file eitherlocally or remotely. However, this method lacked any automated file management. On the other hand, theConfiguration Replace and Configuration Rollback feature provides the capability to automatically save copiesof the running configuration to the Cisco IOS configuration archive. These archived files serve as checkpointconfiguration references and can be used by the configure replace command to revert to previous configurationstates.

The archive config command allows you to save Cisco IOS configurations in the configuration archive usinga standard location and filename prefix that is automatically appended with an incremental version number(and optional timestamp) as each consecutive file is saved. This functionality provides a means for consistentidentification of saved Cisco IOS configuration files. You can specify how many versions of the runningconfiguration are kept in the archive. After the maximum number of files are saved in the archive, the oldestfile is automatically deleted when the next, most recent file is saved. The show archive command displaysinformation for all configuration files saved in the Cisco IOS configuration archive.

The Cisco IOS configuration archive, in which the configuration files are stored and available for use withthe configure replace command, can be located on the following file systems: FTP, HTTP, RCP, TFTP.


Configuration Replace and Configuration RollbackRestrictions for Configuration Replace and Configuration Rollback

Configuration ReplaceThe configure replace privileged EXEC command provides the capability to replace the current runningconfiguration with any saved Cisco IOS configuration file. This functionality can be used to revert to a previousconfiguration state, effectively rolling back any configuration changes that were made since the previousconfiguration state was saved.

When using the configure replace command, you must specify a saved Cisco IOS configuration as thereplacement configuration file for the current running configuration. The replacement file must be a completeconfiguration generated by a Cisco IOS device (for example, a configuration generated by the copyrunning-config destination-url command), or, if generated externally, the replacement file must comply withthe format of files generated by Cisco IOS devices. When the configure replace command is entered, thecurrent running configuration is compared with the specified replacement configuration and a set of diffs isgenerated. The algorithm used to compare the two files is the same as that employed by the show archiveconfig differences command. The resulting diffs are then applied by the Cisco IOS parser to achieve thereplacement configuration state. Only the diffs are applied, avoiding potential service disruption from reapplyingconfiguration commands that already exist in the current running configuration. This algorithm effectivelyhandles configuration changes to order-dependent commands (such as access lists) through a multiple passprocess. Under normal circumstances, no more than three passes are needed to complete a configurationreplace operation, and a limit of five passes is performed to preclude any looping behavior.

The Cisco IOS copy source-url running-config privileged EXEC command is often used to copy a storedCisco IOS configuration file to the running configuration. When using the copy source-url running-configcommand as an alternative to the configure replace target-url privileged EXEC command, the followingmajor differences should be noted:

• The copy source-url running-config command is a merge operation and preserves all of the commandsfrom both the source file and the current running configuration. This command does not remove commandsfrom the current running configuration that are not present in the source file. In contrast, the configurereplace target-url command removes commands from the current running configuration that are notpresent in the replacement file and adds commands to the current running configuration that need to beadded.

• The copy source-url running-config command applies every command in the source file, whether ornot the command is already present in the current running configuration. This algorithm is inefficientand, in some cases, can result in service outages. In contrast, the configure replace target-url commandonly applies the commands that need to be applied—no existing commands in the current runningconfiguration are reapplied.

• A partial configuration file may be used as the source file for the copy source-url running-configcommand, whereas a complete Cisco IOS configuration file must be used as the replacement file for theconfigure replace target-url command.

A locking feature for the configuration replace operation was introduced. When the configure replacecommand is used, the running configuration file is locked by default for the duration of the configurationreplace operation. This locking mechanism prevents other users from changing the running configurationwhile the replacement operation is taking place, which might otherwise cause the replacement operation toterminate unsuccessfully. You can disable the locking of the running configuration by using the no lockkeyword when issuing the configure replace command.

The running configuration lock is automatically cleared at the end of the configuration replace operation. Youcan display any locks that may be currently applied to the running configuration using the show configurationlock command.


Configuration Replace and Configuration RollbackConfiguration Replace

Configuration RollbackThe concept of rollback comes from the transactional processing model common to database operations. Ina database transaction, you might make a set of changes to a given database table. You then must choosewhether to commit the changes (apply the changes permanently) or to roll back the changes (discard thechanges and revert to the previous state of the table). In this context, rollbackmeans that a journal file containinga log of the changes is discarded, and no changes are applied. The result of the rollback operation is to revertto the previous state, before any changes were applied.

The configure replace command allows you to revert to a previous configuration state, effectively rollingback changes that were made since the previous configuration state was saved. Instead of basing the rollbackoperation on a specific set of changes that were applied, the Cisco IOS configuration rollback capability usesthe concept of reverting to a specific configuration state based on a saved Cisco IOS configuration file. Thisconcept is similar to the database idea of saving a checkpoint (a saved version of the database) to preserve aspecific state.

If the configuration rollback capability is desired, you must save the Cisco IOS running configuration beforemaking any configuration changes. Then, after entering configuration changes, you can use that savedconfiguration file to roll back the changes (using the configure replace target-url command). Furthermore,because you can specify any saved Cisco IOS configuration file as the replacement configuration, you are notlimited to a fixed number of rollbacks, as is the case in some rollback models.

Configuration Rollback Confirmed ChangeThe Configuration Rollback Confirmed Change feature allows configuration changes to be performed withan optional requirement that they be confirmed. If this confirmation is not received, the configuration isreturned to the state prior to the changes being applied. Themechanism provides a safeguard against inadvertentloss of connectivity between a network device and the user or management application due to configurationchanges.

Benefits of Configuration Replace and Configuration Rollback• Allows you to revert to a previous configuration state, effectively rolling back configuration changes.

• Allows you to replace the current running configuration file with the startup configuration file withouthaving to reload the device or manually undo CLI changes to the running configuration file, thereforereducing system downtime.

• Allows you to revert to any saved Cisco IOS configuration state.

• Simplifies configuration changes by allowing you to apply a complete configuration file to the device,where only the commands that need to be added or removed are affected.

• When using the configure replace command as an alternative to the copy source-url running-configcommand, increases efficiency and prevents risk of service outages by not reapplying existing commandsin the current running configuration.


Configuration Replace and Configuration RollbackConfiguration Rollback

How to Use Configuration Replace and Configuration Rollback

Creating a Configuration ArchiveNo prerequisite configuration is needed to use the configure replace command. Using the configure replacecommand in conjunction with the Cisco IOS configuration archive and the archive config command is optionalbut offers significant benefit for configuration rollback scenarios. Before using the archive config command,the configuration archive must be configured. Perform this task to configure the characteristics of theconfiguration archive.

Procedure




Device> enable


Example:

Step 2


Enters archive configuration mode.archive

Example:

Step 3

Device(config)# archive

Specifies the location and filename prefix forthe files in the Cisco IOS configuration archive.

path url

Example:

Step 4

If a directory is specified in the pathinstead of file, the directory namemust be followed by a forward slashas follows: path flash:/directory/.The forward slash is not necessaryafter a filename; it is only necessarywhen specifying a directory.

NoteDevice(config-archive)# pathflash:myconfiguration

(Optional) Sets themaximumnumber of archivefiles of the running configuration to be savedin the Cisco IOS configuration archive.

maximum number

Example:

Device(config-archive)# maximum 14

Step 5

• The number argument is the maximumnumber of archive files of the runningconfiguration to be saved in the Cisco IOSconfiguration archive. Valid values arefrom 1 to 14. The default is 10.


Configuration Replace and Configuration RollbackHow to Use Configuration Replace and Configuration Rollback


Before using this command, youmust configure the path commandto specify the location and filenameprefix for the files in the Cisco IOSconfiguration archive.

Note

(Optional) Sets the time increment forautomatically saving an archive file of the

time-period minutes

Example:

Step 6

current running configuration in the Cisco IOSconfiguration archive.

Device(config-archive)# time-period 1440

• Theminutes argument specifies how often,in minutes, to automatically save anarchive file of the current runningconfiguration in the Cisco IOSconfiguration archive.

Before using this command, youmust configure the path commandto specify the location and filenameprefix for the files in the Cisco IOSconfiguration archive.

Note

Exits to privileged EXEC mode.end

Example:

Step 7

Device(config-archive)# end

Saves the current running configuration file tothe configuration archive.

archive config

Example:

Step 8

The path command must beconfigured before using thiscommand.

NoteDevice# archive config

Performing a Configuration Replace or Configuration Rollback OperationPerform this task to replace the current running configuration file with a saved Cisco IOS configuration file.

You must create a configuration archive before performing this procedure. See Creating a ConfigurationArchive for detailed steps. The following procedure details how to return to that archived configuration inthe event of a problem with the current running configuration.

Note


Configuration Replace and Configuration RollbackPerforming a Configuration Replace or Configuration Rollback Operation

Procedure




Device> enable

Replaces the current running configuration filewith a saved Cisco IOS configuration file.

configure replace target-url [nolock] [list][force] [ignore case] [revert trigger [error][timer minutes] | time minutes] ]

Step 2

• The target - url argument is a URL(accessible by the Cisco IOS file system)Example:of the saved Cisco IOS configuration file

Device# configure replace flash:startup-config time 120

that is to replace the current runningconfiguration, such as the configurationfile created using the archive configcommand.

• The list keyword displays a list of thecommand lines applied by the Cisco IOSsoftware parser during each pass of theconfiguration replace operation. The totalnumber of passes performed is alsodisplayed.

• The force keyword replaces the currentrunning configuration file with thespecified saved Cisco IOS configurationfile without prompting you forconfirmation.

• The time minutes keyword and argumentspecify the time (in minutes) within whichyou must enter the configure confirmcommand to confirm replacement of thecurrent running configuration file. If theconfigure confirm command is notentered within the specified time limit, theconfiguration replace operation isautomatically reversed (in other words, thecurrent running configuration file isrestored to the configuration state thatexisted prior to entering the configurereplace command).

• The nolock keyword disables the lockingof the running configuration file thatprevents other users from changing therunning configuration during aconfiguration replace operation.




• The revert trigger keywords set thefollowing triggers for reverting to theoriginal configuration:

• error —Reverts to the originalconfiguration upon error.

• timer minutes —Reverts to theoriginal configuration if specifiedtime elapses.

• The ignore case keyword allows theconfiguration to ignore the case of theconfirmation command.

(Optional) To cancel the timed rollback andtrigger the rollback immediately, or to reset

configure revert { now | timer {minutes | idleminutes} }

Step 3

parameters for the timed rollback, use theExample: configure revertcommand in privileged EXEC

mode.Device# configure revert now

• now—Triggers the rollback immediately.

• timer —Resets the configuration reverttimer.

• Use the minutes argument with thetimer keyword to specify a newrevert time in minutes.

• Use the idle keyword along with atime in minutes to set the maximumallowable time period of no activitybefore reverting to the savedconfiguration.

(Optional) Confirms replacement of the currentrunning configuration file with a saved CiscoIOS configuration file.

configure confirm

Example:

Device# configure confirm

Step 4

Use this command only if the timeseconds keyword and argument ofthe configure replace command arespecified.

Note

Exits to user EXEC mode.exit

Example:

Step 5

Device# exit



Monitoring and Troubleshooting the FeaturePerform this task to monitor and troubleshoot the Configuration Replace and Configuration Rollback feature.

Procedure

Step 1 enable

Use this command to enable privileged EXEC mode. Enter your password if prompted.

Example:

Device> enableDevice#

Step 2 show archive

Use this command to display information about the files saved in the Cisco IOS configuration archive.

Example:

Device# show archiveThere are currently 1 archive configurations saved.The next archive file will be named flash:myconfiguration-2Archive # Name01 flash:myconfiguration-1 <- Most Recent234567891011121314

The following is sample output from the show archive command after several archive files of the runningconfiguration have been saved. In this example, the maximum number of archive files to be saved is set tothree.

Example:

Device# show archiveThere are currently 3 archive configurations saved.The next archive file will be named flash:myconfiguration-8Archive # Name01 :Deleted2 :Deleted3 :Deleted4 :Deleted5 flash:myconfiguration-56 flash:myconfiguration-67 flash:myconfiguration-7 <- Most Recent


Configuration Replace and Configuration RollbackMonitoring and Troubleshooting the Feature

891011121314

Step 3 debug archive versioning

Use this command to enable debugging of the Cisco IOS configuration archive activities to help monitor andtroubleshoot configuration replace and rollback.

Example:

Device# debug archive versioningJan 9 06:46:28.419:backup_running_configJan 9 06:46:28.419:Current = 7Jan 9 06:46:28.443:Writing backup file flash:myconfiguration-7Jan 9 06:46:29.547: backup worked

Step 4 debug archive config timestamp

Use this command to enable debugging of the processing time for each integral step of a configuration replaceoperation and the size of the configuration files being handled.

Example:

Device# debug archive config timestampDevice# configure replace flash:myconfiguration forceTiming Debug Statistics for IOS Config Replace operation:

Time to read file usbflash0:sample_2.cfg = 0 msec (0 sec)Number of lines read:55Size of file :1054

Starting Pass 1Time to read file system:running-config = 0 msec (0 sec)Number of lines read:93Size of file :2539Time taken for positive rollback pass = 320 msec (0 sec)Time taken for negative rollback pass = 0 msec (0 sec)Time taken for negative incremental diffs pass = 59 msec (0 sec)Time taken by PI to apply changes = 0 msec (0 sec)Time taken for Pass 1 = 380 msec (0 sec)

Starting Pass 2Time to read file system:running-config = 0 msec (0 sec)Number of lines read:55Size of file :1054Time taken for positive rollback pass = 0 msec (0 sec)Time taken for negative rollback pass = 0 msec (0 sec)Time taken for Pass 2 = 0 msec (0 sec)

Total number of passes:1Rollback Done

Step 5 exit

Use this command to exit to user EXEC mode.

Example:


Configuration Replace and Configuration RollbackMonitoring and Troubleshooting the Feature

Device# exitDevice>

Configuration Examples for Configuration Replace andConfiguration Rollback

Creating a Configuration ArchiveThe following example shows how to perform the initial configuration of the Cisco IOS configuration archive.In this example, flash:myconfiguration is specified as the location and filename prefix for the files in theconfiguration archive and a value of 10 is set as the maximum number of archive files to be saved.

configure terminal!archivepath flash:myconfigurationmaximum 10end

Replacing the Current Running Configuration with a Saved Cisco IOSConfiguration File

The following example shows how to replace the current running configuration with a saved Cisco IOSconfiguration file named flash:myconfiguration. The configure replace command interactively prompts youto confirm the operation.

Device# configure replace flash:myconfigurationThis will apply all necessary additions and deletionsto replace the current running configuration with thecontents of the specified configuration file, which isassumed to be a complete configuration, not a partialconfiguration. Enter Y if you are sure you want to proceed. ? [no]: YTotal number of passes: 1Rollback Done

In the following example, the list keyword is specified in order to display the command lines that were appliedduring the configuration replace operation:

Device# configure replace flash:myconfiguration listThis will apply all necessary additions and deletionsto replace the current running configuration with thecontents of the specified configuration file, which isassumed to be a complete configuration, not a partialconfiguration. Enter Y if you are sure you want to proceed. ? [no]: Y!Pass 1!List of Commands:no snmp-server community public ro


Configuration Replace and Configuration RollbackConfiguration Examples for Configuration Replace and Configuration Rollback

snmp-server community mystring ro

endTotal number of passes: 1Rollback Done

Reverting to the Startup Configuration FileThe following example shows how to revert to the Cisco IOS startup configuration file using the configurereplace command. This example also shows the use of the optional force keyword to override the interactiveuser prompt:

Device# configure replace flash:startup-config forceTotal number of passes: 1Rollback Done

Performing a Configuration Replace Operation with the configure confirmCommand

The following example shows the use of the configure replace command with the time minutes keywordand argument. You must enter the configure confirm command within the specified time limit to confirmreplacement of the current running configuration file. If the configure confirm command is not entered withinthe specified time limit, the configuration replace operation is automatically reversed (in other words, thecurrent running configuration file is restored to the configuration state that existed prior to entering theconfigure replace command).

Device# configure replace flash:startup-config time 120This will apply all necessary additions and deletionsto replace the current running configuration with thecontents of the specified configuration file, which isassumed to be a complete configuration, not a partialconfiguration. Enter Y if you are sure you want to proceed. ? [no]: YTotal number of passes: 1Rollback DoneDevice# configure confirm

The following example shows the use of the configure revert command with the timer keyword. You mustenter the configure revert command to cancel the timed rollback and trigger the rollback immediately, or toreset parameters for the timed rollback.

Device# configure revert timer 100

Performing a Configuration Rollback OperationThe following example shows how to make changes to the current running configuration and then roll backthe changes. As part of the configuration rollback operation, you must save the current running configurationbefore making changes to the file. In this example, the archive config command is used to save the currentrunning configuration. The generated output of the configure replace command indicates that only one passwas performed to complete the rollback operation.


Configuration Replace and Configuration RollbackReverting to the Startup Configuration File

Before using the archive config command, you must configure the path command to specify the locationand filename prefix for the files in the Cisco IOS configuration archive.

Note

You first save the current running configuration in the configuration archive as follows:

archive config

You then enter configuration changes as shown in the following example:

configure terminal!user netops2 password rainuser netops3 password snowexit

After having made changes to the running configuration file, assume you now want to roll back these changesand revert to the configuration that existed before the changes were made. The show archive command isused to verify the version of the configuration to be used as a replacement file. The configure replace commandis then used to revert to the replacement configuration file as shown in the following example:

Device# show archiveThere are currently 1 archive configurations saved.The next archive file will be named flash:myconfiguration-2Archive # Name01 flash:myconfiguration-1 <- Most Recent2345678910

Device# configure replace flash:myconfiguration-1Total number of passes: 1Rollback Done

Additional References for Configuration Replace andConfiguration Rollback

Related Documents




Configuration Replace and Configuration RollbackAdditional References for Configuration Replace and Configuration Rollback

Feature History for Configuration Replace and ConfigurationRollback




The Cisco IOS configuration archive is intendedto provide a mechanism to store, organize, andmanage an archive of Cisco IOS configuration filesto enhance the configuration rollback capabilityprovided by the configure replace command.


Configuration Replaceand ConfigurationRollback



Configuration Replaceand ConfigurationRollback




Configuration Replace and Configuration RollbackFeature History for Configuration Replace and Configuration Rollback


C H A P T E R 12BIOS Protection

• Introduction to BIOS Protection, on page 269• ROMMON Upgrade, on page 269• Feature History for BIOS Protection, on page 271

Introduction to BIOS ProtectionBIOS protection feature enables write-protection and secure upgrade of the golden ROMMON image.ROMMON is a bootstrap program that initializes the hardware and boots the Cisco IOS XE software imagewhen you power on or restart the device. ROMMON upgrades can be required to resolve firmware defectsor to support new features. Typically, ROMMonitor upgrades are infrequent and not required for every CiscoIOS XE software upgrade.

Without BIOS protection feature, golden ROMMON may be corrupted by malicious code during softwareupgrades.

ROMMON UpgradeROMMON images are stored on the SPI flash device as primary ROMMON and golden ROMMON. PrimaryROMMON boots every time the device is powered on or restarted. If the primary ROMMON gets corrupted,the device uses the golden ROMMON to boot the IOS XE software image. When the device boots from theprimary ROMMON, golden ROMMON is locked. With BIOS protection, golden ROMMON is madewrite-protected and cannot be upgraded using the flash utility upgrademechanism. Access policies are governedby the FPGA firmware. FPGA blocks the disallowed operations such as write, erase etc on the goldenROMMON SPI flash device.

Golden ROMMON upgrade is not enabled without secure-boot FPGA upgrade.Note

• Primary FPGA and golden FPGA (secure-boot FPGA) is automatically upgraded when the device boots.

• On the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the series, you must manuallyupgrade the ROMMON in the primary SPI flash device, if a new version is applicable, and the releaseyou are upgrading from is Cisco IOS XE Gibraltar 16.12.1 or a later release. (So if you upgrade fromCisco IOS XE Gibraltar 16.11.1 for example, a manual upgrade does not apply; the ROMMON is


automatically updated, if applicable). Enter the upgrade rom-monitor capsule primary switch commandin privileged EXEC mode.

• On the C9500-24Y4C, C9500-32C, C9500-32QC, and C9500-48Y4C models of the series, primaryROMMON is upgraded automatically. When you upgrade from an existing release on your switch to alater or newer release for the first time, and there is a new ROMMON version in the new release, thesystem automatically upgrades the ROMMON in the primary SPI flash device, based on the hardwareversion of the switch when you boot up your switch with the new image for the first time.

• Golden ROMMON can be upgraded using the capsule upgrade. Enter the upgrade rom-monitor capsulegolden switch command in privileged EXEC mode.

The upgrade process varies between standalone and high availability systems and is explained below.

Standalone Systems

For a standalone device, when your upgrade the device in install mode, the primary ROMMON is automaticallyupgraded when the device boots. Golden ROMMON can be upgraded using the capsule upgrade.

High Availability and StackWise Virtual Systems

We recommend that you perfom In-Service-Software-Upgrade (ISSU) for devices in a high availability setup.FPGA upgrades occur as part of ISSU.

If you are performing the upgrade in install mode with reload, do not reload both the supervisors at the sametime. With the standby supervisor in ROMMON state, boot the active supervisor. When ROMMON upgradeis completed on each supervisor, FPGA and software image is upgraded.

Boot the standby supervisor and allow the standby supervisor to upgrade and reach standby hot state.

Capsule UpgradeIn a capsule upgrade, a secure update capsule is created and signed which is used by the primary ROMMONafter authentication for upgrading the golden ROMMON. The secure update capsule requires a secure flashcertificate. Secure flash certificate is created using the product key and added to the primary ROMMON imageto verify the authenticity of the update capsule. A capsule is now created using the secure flash certificate anda secure boot 16 MB flash image and signed.

When the device boots, the primary ROMMON triggers the capsule upgrade for the golden ROMMON. Toperform capsule upgrade for the golden ROMMON, use the upgrade rom-monitor capsule golden switchcommand in privileged EXEC mode.

The following processes occur in a capsule upgrade:

• The device checks if secure-boot FPGA upgrade is enabled. If not, the process exits.

• The device checks if bootloader protection is enabled. If not, a one-time upgrade of primary ROMMON,golden ROMMON, and primary FPGA is initiated.

• If bootloader protection is already active, IOS copies the secure update capsule to bootflash and thedevice reboots.

• When the device reboots, secure update capsule is picked for performing the upgrade.


BIOS ProtectionCapsule Upgrade

Feature History for BIOS ProtectionThis table provides release and related information for features explained in this module.



BIOS Protection feature enables write-protectionand secure upgrade of the golden ROMMONimage.

BIOS ProtectionCisco IOS XE Gibraltar16.12.1

Support for capsule upgrade for golden ROMMONusing upgrade rom-monitor capsule switch activecommand was enabled.

Capsule UpgradeCisco IOS XE Amsterdam17.1.1



BIOS ProtectionFeature History for BIOS Protection



BIOS ProtectionFeature History for BIOS Protection

C H A P T E R 13Software Maintenance Upgrade

The Software Maintenance Upgrade (SMU) is a package that can be installed on a system to provide a fix ora security resolution to a released image.

• Restrictions for Software Maintenance Upgrade, on page 273• Information About Software Maintenance Upgrade, on page 273• How to Manage Software Maintenance Updates, on page 274• Configuration Examples for Software Maintenance Upgrade, on page 276• Additional References for Software Maintenance Upgrade, on page 281• Feature History for Software Maintenance Upgrade, on page 281

Restrictions for Software Maintenance Upgrade• SMU supports patching using install mode only.

Information About Software Maintenance Upgrade

SMU OverviewThe SMU is a package that can be installed on a system to provide a fix or a security resolution to a releasedimage. An SMU package is provided on a per release and per component basis.

An SMU provides a significant benefit over classic Cisco IOS software because it allows you to addressnetwork issues quickly while reducing the time and scope of the testing required. The Cisco IOS XE platforminternally validates SMU compatibility and does not allow you to install noncompatible SMUs.

All the SMUs are integrated into the subsequent Cisco IOS XE software maintenance releases. An SMU isan independent and self-sufficient package and it does not have any prerequisites or dependencies. You canchoose which SMUs to install or uninstall in any order.

SMUs are supported only on Extended Maintenance releases and for the full lifecycle of the underlyingsoftware release.

Perform these basic steps to install an SMU:

1. Add the SMU to the filesystem.


2. Activate the SMU on the system.

3. Commit the SMU changes so that it is persistent across reloads.

SMU WorkflowThe SMU process is initiated with a request to the Cisco Customer Support. Contact your customer supportto raise an SMU request.

At release time, the SMU package is posted to the Cisco Software Download page and can be downloadedand installed.

SMU PackageThe SMU package contains a small set of files for patching the release along with metadata that describes thecontents of the package, and fix for the reported issue that the SMU is requested for. The SMU package alsosupports patching of the public key infrastructure (PKI) component.

SMU ReloadThe SMU type describes the effect the installed SMU has on the corresponding system. SMUs might not havean impact on traffic, or might result in device restart, reload, or switchover. Run the show install packageflash: filename command to verify whether a reload is required or not.

Hot patching enables SMU to take effect after activation without the system having to be reloaded. After theSMU is committed, the changes are persistent across reloads. In certain cases, SMUs may require a cold(complete) reload of the operating system. This action affects the traffic flow for the duration of the reload.If a cold reload is required, users will be prompted to confirm the action.

How to Manage Software Maintenance UpdatesThe following sections provide information about managing SMUs.

You can install, activate, and commit an SMU package using a single command or using separate commands.

Installing an SMU PackageThis task shows how to use the install add file activate commit command for installing an SMU package.

Procedure


Enables privileged EXEC mode. Enter yourpassword, if prompted.

enable

Example:

Step 1

Device> enable


Software Maintenance UpgradeSMU Workflow

https://www.cisco.com/c/en_in/support/index.html


Copies the maintenance update package fromflash, performs a compatibility check for the

install add file flash: filename [activatecommit]

Step 2

platform and image versions, activates the SMUExample: package, and makes the package persistentDevice# install add fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_

across reloads. This command extracts theindividual components of the .bin file into thesubpackages and packages.conf files.

TWIG_LATEST_20180306_013805.3.SSA.smu.binactivate commit

You can also copy the maintenance updatepackage from from a remote location (throughFTP, HTTP, HTTPS, or TFTP).

If the SMU file is copied usingTFTP, use bootflash to activate theSMU.

Note

Exits privileged EXECmode and returns to userEXEC mode.

exit

Example:

Step 3

Device# exit

Managing an SMU Package

Procedure


Enables privileged EXEC mode. Enter yourpassword, if prompted.

enable

Example:

Step 1

Device> enable

Copies the SMUpackage from a source locationto the device (in case source location is remote),

install add file flash: filename

Example:

Step 2

and then performs a compatibility check for theDevice# install add fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin

platform and image versions, and adds the SMUpackage on all member nodes or FRUs, asapplicable. This command also runs basecompatibility checks on a file to ensure that theSMU package is supported on the platform. Italso adds an entry in the package/SMU.stafile, so that its status can be monitored andmaintained.

Runs compatibility checks, installs the package,and updates the package status details.

install activate file flash: filename

Example:

Step 3

Device# install activate add fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin


Software Maintenance UpgradeManaging an SMU Package


Commits the activation changes to be persistentacross reloads. The commit can be done after

install commit

Example:

Step 4

activation when the system is up, or after theDevice# install commit first reload. If a package is activated, but not

committed, it remains active after the firstreload, but not after the second reload.

Returns the device to the previous installationstate.

install rollback to {base | committed | idcommit-ID}

Example:

Step 5

Device# install rollback to committed

Deactivates an active package and updates thepackage status.

install deactivate file flash: filename

Example:

Step 6

Device# install deactivate fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin

Verifies if the specified SMU is inactive and ifit is, deletes it from the file system. The inactive

install remove {file flash: filename | inactive}

Example:

Step 7

option deletes all the inactive packages fromthe file system.Device# install remove file

flash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin

Displays the image version on the device.show version

Example:

Step 8

Device# show version

Displays information about the installationstatus of packages. The output of this command

show install summary

Example:

Step 9

varies according to the install commands thatare configured.Device# show install summary

Configuration Examples for Software Maintenance UpgradeThe following is a list of SMU configuration examples.

Example: Managing an SMU

• The examples used in this section are of hot patching SMU.Note

The following example shows how to copy an SMU file to flash:


Software Maintenance UpgradeConfiguration Examples for Software Maintenance Upgrade

Device# copy ftp://172.16.0.10//auto/ftpboot/user/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin

flash:Destination filename[cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin]?Accessing ftp://172.16.0.10//auto/ftpboot/folder1/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin...Loading /auto/ftpboot/folder1/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin from172.16.0.10 (via GigabitEthernet0): ![OK - 17668 bytes]17668 bytes copied in 0.058 secs (304621 bytes/sec)

The following example shows how to add a maintenance update package file:Device# install add fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin

install_add: START Mon Mar 5 21:48:51 PST 2018install_add: Adding SMU

--- Starting initial file syncing ---Info: Finished copyingflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin to theselected switch(es)Finished initial file syncing

Executing pre scripts....

Executing pre scripts done.--- Starting SMU Add operation ---Performing SMU_ADD on all members[1] SMU_ADD package(s) on switch 1[1] Finished SMU_ADD on switch 1

Checking status of SMU_ADD on [1]SMU_ADD: Passed on [1]Finished SMU Add operation

SUCCESS: install_add/flash/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin MonMar 5 21:49:00 PST 2018

The following is a sample output from the show install summary command after adding an SMUpackage file to the device:Device# show install summary

[ Switch 1 ] Installed Package(s) Information:State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------SMU I flash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.binIMG C 16.9.1.0.43131

--------------------------------------------------------------------------------Auto abort timer: inactive--------------------------------------------------------------------------------

The following example shows how to activate an added SMU package file:


Software Maintenance UpgradeExample: Managing an SMU

Device# install activate fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin

install_activate: START Mon Mar 5 21:49:22 PST 2018install_activate: Activating SMUExecuting pre scripts....

Executing pre scripts done.

--- Starting SMU Activate operation ---Performing SMU_ACTIVATE on all members[1] SMU_ACTIVATE package(s) on switch 1[1] Finished SMU_ACTIVATE on switch 1

Checking status of SMU_ACTIVATE on [1]SMU_ACTIVATE: Passed on [1]Finished SMU Activate operation

SUCCESS: install_activate/flash/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin MonMar 5 21:49:34 PST 2018

The following a sample output from the show version command:Device# show version

Cisco IOS XE Software, Version BLD_POLARIS_DEV_LATEST_20180302_085005_2 - SMU-PATCHEDCisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_IOSXE), Experimental Version16.9.20180302:085957 [polaris_dev-/nobackup/mcpre/BLD-BLD_POLARIS_DEV_LATEST_20180302_085005 166]Copyright (c) 1986-2018 by Cisco Systems, Inc.Compiled Fri 02-Mar-18 09:50 by mcpre...

The following is a sample output from the show install summary command displays the status ofthe SMU package as active and uncommitted:Device# show install summary


C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------SMU U flash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.binIMG C 16.9.1.0.43131

--------------------------------------------------------------------------------Auto abort timer: active on install_activate, time before rollback - 01:59:50--------------------------------------------------------------------------------

The following is a sample output from the show install active command:Device# show install active

[ Switch 1 ] Active Package(s) Information:State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------SMU U flash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin



IMG C 16.9.1.0.43131

The following example shows how to execute the install commit command:Device# install commit

install_commit: START Mon Mar 5 21:50:52 PST 2018install_commit: Committing SMUExecuting pre scripts....

Executing pre scripts done.--- Starting SMU Commit operation ---Performing SMU_COMMIT on all members[1] SMU_COMMIT package(s) on switch 1[1] Finished SMU_COMMIT on switch 1

Checking status of SMU_COMMIT on [1]SMU_COMMIT: Passed on [1]Finished SMU Commit operation

SUCCESS: install_commit/flash/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin MonMar 5 21:51:01 PST 2018

The following is a sample output from the show install summary command displays that the updatepackage is now committed, and that it will be persistent across reloads:Device# show install summary


C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------SMU C flash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.binIMG C 16.9.1.0.43131


The following example shows how to rollback an update package to the committed package:Device# install rollback to committed

install_rollback: START Mon Mar 5 21:52:18 PST 2018install_rollback: Rolling back SMUExecuting pre scripts....


--- Starting SMU Rollback operation ---Performing SMU_ROLLBACK on all members[1] SMU_ROLLBACK package(s) on switch 1[1] Finished SMU_ROLLBACK on switch 1

Checking status of SMU_ROLLBACK on [1]SMU_ROLLBACK: Passed on [1]Finished SMU Rollback operation

SUCCESS: install_rollback/flash/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin Mon



Mar 5 21:52:30 PST 2018

The following is a sample output from the show install summary command:Device# show install summary


C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG C 16.9.1.0.43131


The following example shows how to deactivate an SMU package file:Device# install deactivate fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin

install_deactivate: START Mon Mar 5 21:54:06 PST 2018install_deactivate: Deactivating SMUExecuting pre scripts....


--- Starting SMU Deactivate operation ---Performing SMU_DEACTIVATE on all members[1] SMU_DEACTIVATE package(s) on switch 1[1] Finished SMU_DEACTIVATE on switch 1

Checking status of SMU_DEACTIVATE on [1]SMU_DEACTIVATE: Passed on [1]Finished SMU Deactivate operation

SUCCESS: install_deactivate/flash/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin MonMar 5 21:54:17 PST 2018

The following is a sample output from the show install summary command:Device# show install summary


C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------SMU D flash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.binIMG C 16.9.1.0.43131

--------------------------------------------------------------------------------Auto abort timer: active on install_deactivate, time before rollback - 01:59:50--------------------------------------------------------------------------------

The following example shows how to remove an SMU from the device:Device# install remove fileflash:cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin



install_remove: START Mon Mar 5 22:03:50 PST 2018install_remove: Removing SMUExecuting pre scripts....


--- Starting SMU Remove operation ---Performing SMU_REMOVE on all members[1] SMU_REMOVE package(s) on switch 1[1] Finished SMU_REMOVE on switch 1

Checking status of SMU_REMOVE on [1]SMU_REMOVE: Passed on [1]Finished SMU Remove operation

SUCCESS: install_remove/flash/cat9k_iosxe.BLD_SMU_20180302_085005_TWIG_LATEST_20180306_013805.3.SSA.smu.bin MonMar 5 22:03:58 PST 2018

The following is a sample output from the show install summary command:



C - Activated & Committed, D - Deactivated & Uncommitted--------------------------------------------------------------------------------Type St Filename/Version--------------------------------------------------------------------------------IMG C 16.9.1.0.43131


Additional References for Software Maintenance UpgradeRelated Documents



Feature History for Software Maintenance UpgradeThis table provides release and related information for features explained in this module.



Software Maintenance UpgradeAdditional References for Software Maintenance Upgrade


An SMU is a package that can be installed on asystem to provide a fix or a security resolution toa released image.

Support for this feature was introduced on theC9500-12Q, C9500-16X, C9500-24Q, C9500-40Xmodels of the Cisco Catalyst 9500 Series Switches.

Software MaintenanceUpgrade (SMU)

Cisco IOS XE Everest 16.6.1

Support for this feature was introduced on theC9500-32C, C9500-32QC, C9500-48Y4C, andC9500-24Y4C models of Cisco Catalyst 9500Series Switches.

Software MaintenanceUpgrade (SMU)

Cisco IOS XE Fuji 16.9.1

Hot patching enables SMU to take effect afteractivationwithout the system having to be reloaded.

Support for hot patching was introduced on allmodels of Cisco Catalyst 9500 Series Switches.

Hot patching

The SMU package supports patching of the PKIcomponent.

Support for this enhancement was introduced onall models of Cisco Catalyst 9500 Series Switches.

Public KeyInfrastructure (PKI)Patching

Cisco IOS XE Gibraltar16.10.1



Software Maintenance UpgradeFeature History for Software Maintenance Upgrade


C H A P T E R 14Working with the Flash File System

• Information About the Flash File System, on page 283• Displaying Available File Systems, on page 283• Setting the Default File System, on page 285• Displaying Information About Files on a File System, on page 285• Changing Directories and Displaying the Working Directory , on page 287• Creating Directories , on page 287• Copying Files, on page 288• Creating, Displaying and Extracting Files , on page 290• Additional References for Flash File System, on page 291• Feature History for Flash File System, on page 292

Information About the Flash File SystemThe flash file system is a single flash device on which you can store files. It also provides several commandsto help you manage software bundles and configuration files. The default flash file system on the device isnamed flash:.

As viewed from the active device, flash: refers to the local flash device, which is the device attached to thesame device on which the file system is being viewed. In a device stack, each of the flash devices from thevarious stack members can be viewed from the active device. The names of these flash file systems includethe corresponding device member numbers. For example, flash-3:, as viewed from the active device, refersto the same file system as does flash: on stackmember 3. Use the show file systems privileged EXEC commandto list all file systems, including the flash file systems in the device stack.

Only one user at a time can manage the software bundles and configuration files for a device stack.

Displaying Available File SystemsTo display the available file systems on your device, use the show file systems privileged EXEC commandas shown in this example for a standalone device:Device# show file systemsSize(b) Free(b) Type Flags Prefixes- - opaque rw system:- - opaque rw tmpsys:


1651314688 1559785472 disk rw crashinfo:* 11353194496 9693396992 disk rw flash:8049967104 7959392256 disk ro webui:- - opaque rw null:- - opaque ro tar:- - network rw tftp:2097152 2080848 nvram rw nvram:- - opaque wo syslog:- - network rw rcp:- - network rw http:- - network rw ftp:- - network rw scp:- - network rw https:- - opaque ro cns:

Device# show file systemsFile Systems:

Size(b) Free(b) Type Flags Prefixes- - opaque rw system:- - opaque rw tmpsys:

* 11250098176 9694093312 disk rw bootflash: flash:1651314688 1232220160 disk rw crashinfo:

118148280320 112084115456 disk rw disk0:189628416 145387520 disk rw usbflash0:7763918848 7696850944 disk ro webui:

- - opaque rw null:- - opaque ro tar:- - network rw tftp:

33554432 33532852 nvram rw nvram:- - opaque wo syslog:- - network rw rcp:- - network rw http:- - network rw ftp:- - network rw scp:- - network rw https:- - opaque ro cns:

Table 15: show file systems Field Descriptions

ValueField

Amount of memory in the file system in bytes.Size(b)

Amount of free memory in the file system in bytes.Free(b)

Type of file system.

disk—The file system is for a flash memory device, USB flash, andcrashinfo file.

network—The file system for network devices; for example, an FTPserver or and HTTP server.

nvram—The file system is for a NVRAM device.

opaque—The file system is a locally generated pseudo file system(for example, the system) or a download interface, such as brimux.

unknown—The file system is an unknown type.

Type


Working with the Flash File SystemDisplaying Available File Systems

ValueField

Permission for file system.

ro—read-only.

rw—read/write.

wo—write-only.

Flags

Alias for file system.

crashinfo:—Crashinfo file.

flash:—Flash file system.

ftp:—FTP server.

http:—HTTP server.

https:—Secure HTTP server.

nvram:—NVRAM.

null:—Null destination for copies. You can copy a remote file to nullto find its size.

rcp:—Remote Copy Protocol (RCP) server.

scp:—Session Control Protocol (SCP) server.

system:—Contains the system memory, including the runningconfiguration.

tftp:—TFTP network server.

usbflash0:—USB flash memory.

ymodem:—Obtain the file from a network machine by using theYmodem protocol.

Prefixes

Setting the Default File SystemYou can specify the file system or directory that the system uses as the default file system by using the cdfilesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argumentfrom related commands. For example, for all privileged EXEC commands that have the optional filesystem:argument, the system uses the file system specified by the cd command.

By default, the default file system is flash:.

You can display the current default file system as specified by the cd command by using the pwd privilegedEXEC command.

Displaying Information About Files on a File SystemYou can view a list of the contents of a file system before manipulating its contents. For example, beforecopying a new configuration file to flash memory, you might want to verify that the file system does not


Working with the Flash File SystemSetting the Default File System

already contain a configuration file with the same name. Similarly, before copying a flash configuration fileto another location, you might want to verify its filename for use in another command. To display informationabout files on a file system, use one of the privileged EXEC commands listed in the following table.

Table 16: Commands for Displaying Information About Files

DescriptionCommand

Displays a list of files on a file system.dir [/all][filesystem:filename]

Displays more information about each of the files on a file system.show file systems

Displays information about a specific file.show file informationfile-url

Displays a list of open file descriptors. File descriptors are the internalrepresentations of open files. You can use this command to see if another userhas a file open.

show file descriptors

For example, to display a list of all files in a file system, use the dir privileged EXEC command:

Device# dir flash:DDirectory of bootflash:/

616513 drwx 4096 Jul 15 2015 07:11:35 +00:00 .installer608402 -rw- 33818 Sep 25 2015 11:41:35 +00:00 bootloader_evt_handle.log608403 drwx 4096 Feb 27 2017 13:56:47 +00:00 .ssh608410 -rw- 0 Jun 5 2015 10:16:17 +00:00 dc_stats.txt608411 drwx 20480 Sep 23 2015 11:50:13 +00:00 core624625 drwx 4096 Sep 23 2015 12:29:27 +00:00 .prst_sync640849 drwx 4096 Feb 27 2017 13:57:30 +00:00 .rollback_timer608412 drwx 4096 Jun 17 2015 18:12:47 +00:00 orch_test_logs608413 -rw- 33554432 Sep 25 2015 11:43:15 +00:00 nvram_config608417 -rw- 35 Sep 25 2015 20:17:42 +00:00 pnp-tech-time608439 -rw- 214054 Sep 25 2015 20:17:48 +00:00 pnp-tech-discovery-summary608419 drwx 4096 Jul 23 2015 07:50:25 +00:00 util616514 drwx 4096 Mar 18 2015 11:09:04 +00:00 onep608442 -rw- 556 Mar 18 2015 11:19:34 +00:00 vlan.dat608448 -rw- 1131779 Mar 28 2015 13:13:48 +00:00 log.txt616516 drwx 4096 Apr 1 2015 09:34:56 +00:00 gs_script616517 drwx 4096 Apr 6 2015 09:42:38 +00:00 tools608440 -rw- 252 Sep 25 2015 11:41:52 +00:00 boothelper.log624626 drwx 4096 Apr 17 2015 06:10:55 +00:00 SD_AVC_AUTO_CONFIG608488 -rw- 98869 Sep 25 2015 11:42:15 +00:00 memleak.tcl608437 -rwx 17866 Jul 16 2015 04:01:10 +00:00 ardbeg_x86632745 drwx 4096 Aug 20 2015 11:35:09 +00:00 CRDU632746 drwx 4096 Sep 16 2015 08:57:44 +00:00 ardmore608418 -rw- 1595361 Jul 8 2015 11:18:33 +00:00system-report_RP_0_20150708-111832-UTC.tar.gz608491 -rw- 67587176 Aug 12 2015 05:30:35 +00:00 mcln_x86_kernel_20170628.SSA608492 -rwx 74880100 Aug 12 2015 05:30:57 +00:00 stardust.x86.idprom.0718B

11250098176 bytes total (9128050688 bytes free)Device#


Working with the Flash File SystemDisplaying Information About Files on a File System

Changing Directories and Displaying the Working DirectoryFollow these steps to change directories and to display the working directory:

Procedure




Device> enable

Displays the directories on the specified filesystem.

dir filesystem:

Example:

Step 2

For filesystem:, use flash: for the system boardflash device.Device# dir flash:

Navigates to the specified directory.cd directory_nameStep 3

Example: The command example shows how to navigateto the directory named new_configs.

Device# cd new_configs

Displays the working directory.pwd

Example:

Step 4

Device# pwd

Navigates to the default directory.cd

Example:

Step 5

Device# cd

Creating DirectoriesBeginning in privileged EXEC mode, follow these steps to create a directory:

Procedure


Displays the directories on the specified filesystem.

dir filesystem:

Example:

Step 1

For filesystem:, use flash: for the system boardflash device.Device# dir flash:


Working with the Flash File SystemChanging Directories and Displaying the Working Directory


Creates a new directory. Directory names arecase sensitive and are limited to 45 characters

mkdir directory_name

Example:

Step 2

between the slashes (/); the name cannot contain

Device# mkdir new_configscontrol characters, spaces, slashes, quotes,semicolons, or colons.

Verifies your entry.dir filesystem:

Example:

Step 3

Device# dir flash:

Removing DirectoriesTo remove a directory with all its files and subdirectories, use the delete /force /recursive filesystem:/file-urlprivileged EXEC command.

Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it.Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. Youare prompted only once at the beginning of this deletion process.

For filesystem, use flash: for the system board flash device. For file-url, enter the name of the directory to bedeleted. All of the files in the directory and the directory are removed.

When directories are deleted, their contents cannot be recovered.Caution

Copying FilesTo copy a file from a source to a destination, use the copy source-url destination-url privileged EXECcommand. For the source and destination URLs, you can use running-config and startup-config keywordshortcuts. For example, the copy running-config startup-config command saves the currently runningconfiguration file to the NVRAM section of flash memory to be used as the configuration during systeminitialization.

You can also copy from special file systems (xmodem:, ymodem:) as the source for the file from a networkmachine that uses the Xmodem or Ymodem protocol.

Network file system URLs include ftp:, rcp:, tftp:, scp:, http:, and https: and have these syntaxes:

• FTP—ftp:[[//username [:password]@location]/directory]/filename

• RCP—rcp:[[//username@location]/directory]/filename

• TFTP—tftp:[[//location]/directory]/filename

• SCP—scp:[[//username [:password]@location]/directory]/filename

• HTTP—http:[[//username [:password]@location]/directory]/filename

• HTTPS—https:[[//username [:password]@location]/directory]/filename


Working with the Flash File SystemRemoving Directories

The password must not contain the special character '@'. If the character '@' is used, the copy fails to parsethe IP address of the server.

Note

Local writable file systems include flash:.

Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations:

• From a running configuration to a running configuration

• From a startup configuration to a startup configuration

• From a device to the same device (for example, the copy flash: flash: command is invalid)

Copying Files from One in a Stack to Another in the Same StackTo copy a file from one in a stack to another in the same stack, use the flash-X: notation, where X is thenumber.

To view all es in a stack, use the show switch command in privileged EXECmode, as in the following exampleof a 9-member stack:

To view all file systems available to copy on a specific , use the copy command as in the following exampleof a 5-member stack:

This example shows how to copy a config file stored in the flash partition of 2 to the flash partition of 4. Itassumes that 2 and 4 are in the same stack.

# copy flash-2:config.txt flash-4:config.txt

Deleting FilesWhen you no longer need a file on a flash memory device, you can permanently delete it. To delete a file ordirectory from a specified flash device, use the delete [/force] [/recursive] [filesystem:]/file-url privilegedEXEC command.

Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Usethe /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You areprompted only once at the beginning of this deletion process. Use the /force and /recursive keywords fordeleting old software images that were installed by using the archive download-sw command but are nolonger needed.

If you omit the filesystem: option, the device uses the default device specified by the cd command. For file-url,you specify the path (directory) and the name of the file to be deleted.

When you attempt to delete any files, the system prompts you to confirm the deletion.

When files are deleted, their contents cannot be recovered.Caution

This example shows how to delete the file myconfig from the default flash memory device:


Working with the Flash File SystemCopying Files from One in a Stack to Another in the Same Stack

Device# delete myconfig

Creating, Displaying and Extracting FilesYou can create a file and write files into it, list the files in a file, and extract the files from a file as describedin the next sections.

Beginning in privileged EXEC mode, follow these steps to create a file, display the contents, and extract it:

Procedure


Creates a file and adds files to it.archive tar /create destination-url flash:/file-url

Step 1

For destination-url, specify the destination URLalias for the local or network file system andthe name of the file to create:

Example:

Device# archive tar /create • Local flash file system syntax:tftp:172.20.10.30/saved.flash:/new-configs flash:

• FTP syntax:

ftp:[[//username[:password]@location]/directory]/-filename.• RCP syntax:

rcp:[[//username@location]/directory]/-filename.• TFTP syntax:

tftp:[[//location]/directory]/-filename.

For flash:/file-url, specify the location on thelocal flash file system in which the new file iscreated. You can also specify an optional listof files or directories within the source directoryto add to the new file. If none are specified, allfiles and directories at this level are written tothe newly created file.

Displays the contents of a file.archive tar /table source-urlStep 2

Example: For source-url, specify the source URL aliasfor the local or network file system. The

Device# archive tar /tableflash: /new_configs

-filename. is the file to display. These optionsare supported:

• Local flash file system syntax:

flash:• FTP syntax:


rcp:[[//username@location]/directory]/-filename.


Working with the Flash File SystemCreating, Displaying and Extracting Files


• TFTP syntax:


You can also limit the file displays byspecifying a list of files or directories after thefile. Only those files appear. If none arespecified, all files and directories appear.

Extracts a file into a directory on the flash filesystem.

archive tar /xtract source-url flash:/file-url[dir/file...]

Step 3

Example: For source-url, specify the source URL aliasfor the local file system. The -filename. is the

Device# archive tar /xtract file from which to extract files. These optionsare supported:tftp:/172.20.10.30/saved.

flash:/new-configs• Local flash file system syntax:

flash:• FTP syntax:


rcp:[[//username@location]/directory]/-filename.• TFTP syntax:


For flash:/file-url [dir/file...], specify thelocation on the local flash file system fromwhich the file is extracted. Use the dir/file...option to specify a list of files or directorieswithin the file to be extracted. If none arespecified, all files and directories are extracted.

Displays the contents of any readable file,including a file on a remote file system.

more [ /ascii | /binary | /ebcdic] /file-url

Example:

Step 4

Device# moreflash:/new-configs

Additional References for Flash File SystemRelated Documents


Cisco IOS Configuration Fundamentals Command ReferenceCommands for managing flash: file systems


Working with the Flash File SystemAdditional References for Flash File System

Feature History for Flash File SystemThis table provides release and related information for features explained in this module.



The flash file system is a single flash device onwhich you can store files. It also provides severalcommands to help you manage software bundlesand configuration files.


Flash File SystemCisco IOSXEEverest 16.5.1a


Flash File SystemCisco IOS XE Fuji 16.8.1a



Working with the Flash File SystemFeature History for Flash File System


C H A P T E R 15Performing Factory Reset

• Prerequisites for Performing a Factory Reset, on page 293• Restrictions for Performing a Factory Reset, on page 293• Information About Performing a Factory Reset, on page 293• How to Perform a Factory Reset, on page 294• Configuration Examples for Performing a Factory Reset, on page 296• Additional References for Performing a Factory Reset, on page 299• Feature History for Performing a Factory Reset, on page 299

Prerequisites for Performing a Factory Reset• Ensure that all the software images, including the current image, configurations, and personal data arebacked up before you begin the factory reset process.

• Ensure that there is uninterrupted power supply when the factory reset process is in progress.

• Ensure that In-Service Software Upgrade (ISSU) or In-Service Software Downgrade (ISSD) are not inprogress before you begin the factory reset process.

Restrictions for Performing a Factory Reset• Software patches, if installed on the device, will not be restored after the factory reset process.

• If the factory-reset command is issued through a VTY session, the session is not restored after completionof the factory reset process.

• The config keyword of the factory-reset command is not supported when the switch is in stacking orStackwise Virtual Link (SVL) mode.

Information About Performing a Factory ResetFactory reset erases all the customer-specific data stored in a device and restores the device to its originalconfiguration at the time of shipping. Data that is erased includes configurations, log files, boot variables,


core files, and credentials such as Federal Information Processing Standard-related (FIPS-related) keys. Theerasure is consistent with the clear method, as described in NIST SP 800-88 Rev. 1.

The factory reset process is used in the following scenarios:

• Return Material Authorization (RMA) for a device: If you have to return a device to Cisco for RMA,remove all the customer-specific data before obtaining an RMA certificate for the device.

• Recovering a compromised device: If the key material or credentials that are stored on a device arecompromised, reset the device to the factory configuration, and then reconfigure the device.

During a factory reset, the device reloads and enters ROMMON mode. After the factory reset, the deviceremoves all its environment variables, including theMAC_ADDRESS and the SERIAL_NUMBER variables,which are required to locate and load the software. Perform a reset in ROMmon mode to automatically setthe environment variables. The BAUD rate environment variable returns to its default value after a factoryreset. Make sure that the BAUD rate and the console speed are the same at all times. Otherwise, the consolebecomes unresponsive.

After the system reset in ROMmon mode is complete, add the Cisco IOS image either through an USB orTFTP.

The following table provides details about the data that is erased and retained during the factory reset process:

Table 17: Data Erased and Retained During Factory Reset

Data RetainedData Erased

Data from remote field-replaceable units (FRUs)All Cisco IOS images, including the current bootimage

Value of the configuration register.Crash information and logs

—User data, startup and running configuration, andcontents of removable storage devices, such as SerialAdvanced Technology Attachment (SATA), SolidState Drive (SSD), or USB

Credentials such as Secure Unique Device Identifier(SUDI) certificates, and public key infrastructure(PKI) keys.

Credentials such as FIPS-related keys

LicensesOnboard Failure Logging (OBFL) logs

—ROMmon variables added by a user.

How to Perform a Factory ResetTo perform a factory reset, complete this procedure:

Procedure




Performing Factory ResetHow to Perform a Factory Reset



Resets the device to its configuration at the timeof its shipping.

Step 2 • For a standalone device:

factory-reset {all [secure 3-pass] |config | boot-vars} No system configuration is required to use the

factory reset command.• For stacked devices:The following options are available:factory-reset {all [secure 3-pass] |

config | boot-vars|switch • all: Erases all the content from theNVRAM, all the Cisco IOS images,{switch-number |all{all [secure

3-pass] | config | boot-vars}} including the current boot image, bootvariables, startup and runningExample:configuration data, and user data. Werecommend that you use this option.

Device# factory-reset all

OR• secure 3-pass: Erases all the content fromthe device with 3-pass overwrite.Device# factory-reset switch 1 all config

• Pass 1: Overwrites all addressablelocations with binary zeroes.

• Pass 2: Overwrites all addressablelocations with binary ones.

• Pass 3: Overwrites all addressablelocations with a random bit pattern.

This option takes approximatelythrice the time taken to performany other option.

Note

• config: Resets the startup configurations.

• boot-vars: Resets the user-added bootvariables.

• switch {switch-number |all}:

• switch-number: Specifies the switchnumber. The range is from 1 to 16.

• all: Selects all the switches in thestack.

After the factory reset process is successfullycompleted, the device reboots and entersROMmon mode.


Performing Factory ResetHow to Perform a Factory Reset

Configuration Examples for Performing a Factory Reset

The following example shows how to perform a factory reset on a standalone switch:Device> enableDevice# factory-reset all

The factory reset operation is irreversible for all operations. Are you sure? [confirm]The following will be deleted as a part of factory reset:1: Crash info and logs2: User data, startup and running configuration3: All IOS images, including the current boot image4: OBFL logs5: User added rommon variables6: Data on Field Replaceable Units(USB/SSD/SATA)The system will reload to perform factory reset.It will take some time to complete and bring it to rommon.You will need to load IOS image using USB/TFTP from rommon afterthis operation is completed.DO NOT UNPLUG THE POWER OR INTERRUPT THE OPERATIONAre you sure you want to continue? [confirm]

The following examples show how to perform a factory reset on Cisco StackWise Virtual enableddevices:Device> enableDevice# factory-reset switch 2 allThe factory reset operation is irreversible for all operations. Are you sure? [confirm]The following will be deleted as a part of factory reset:1: Crash info and logs2: User data, startup and running configuration3: All IOS images, including the current boot image4: OBFL logs5: User added rommon variables6: Data on Field Replaceable Units(USB/SSD/SATA)The system will reload to perform factory reset.It will take some time to complete and bring it to rommon.You will need to load IOS image using USB/TFTP from rommon afterthis operation is completed.DO NOT UNPLUG THE POWER OR INTERRUPT THE OPERATIONAre you sure you want to continue? [confirm]Switch#*Sep 23 18:10:42.739: Successfully sent switch reload message for switch num: 2 and reasonFactory Reset*Sep 23 18:10:42.740: %STACKMGR-1-RELOAD: Chassis 2 R0/0: stack_mgr: Reloading due to reasonFactory Reset*Sep 23 18:10:43.158: NGWC_FACTORYRESET: Switch 2, cmd: reset-all success

Original standby Switch 2:Chassis 2 reloading, reason - Factory ResetSep 23 18:11:03.199: %PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting: processexit with reload fru code

Enabling factory reset for this reload cycleSwitch booted with tftp://172.19.72.26/tftpboot/thpaliss/trial.bin% FACTORYRESET - Started Cleaning Up...


Performing Factory ResetConfiguration Examples for Performing a Factory Reset

% FACTORYRESET - Unmounting flash1% FACTORYRESET - Cleaning Up flash1% FACTORYRESET - In progress.. please wait for completion...

% FACTORYRESET - write zero...% FACTORYRESET - finish erase

Creating filesystem with 2790400 4k blocks and 697632 inodesFilesystem UUID: 6a8ec2fb-4602-41b3-9c5c-ed59039d7480Superblock backups stored on blocks:32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: doneWriting inode tables: doneWriting superblocks and filesystem accounting information: done

% FACTORYRESET - Mounting Back flash1% FACTORYRESET - Handling Mounted flash1% FACTORYRESET - Factory Reset Done for flash1



Creating filesystem with 409600 4k blocks and 102544 inodesFilesystem UUID: e2f2280f-245a-4232-b0a8-edbf590a3107Superblock backups stored on blocks:32768, 98304, 163840, 229376, 294912





Creating filesystem with 131072 1k blocks and 32768 inodesFilesystem UUID: 3c548955-16f5-4db5-a1c3-9a956248ccacSuperblock backups stored on blocks:8193, 24577, 40961, 57345, 73729







Creating filesystem with 514811 4k blocks and 128768 inodesFilesystem UUID: 9fe5a9db-263e-4303-825f-78ce815835c2Superblock backups stored on blocks:32768, 98304, 163840, 229376, 294912


% FACTORYRESET - Mounting Back flash7% FACTORYRESET - Handling Mounted flash7% FACTORYRESET - Factory Reset Done for flash7% FACTORYRESET - Lic Clean UP% FACTORYRESET - Lic Clean Successful...% FACTORYRESET - Clean Up Successful...

watchdog: watchdog0: watchdog did not stop!systemd-shutdown[1]: Failed to parse (null): No such file or directorysystemd-shutdown[1]: Failed to deactivate swaps: No such file or directory

The following examples show how to perform a factory reset on stacked devices:Device> enableDevice# factory-reset switch all allThe factory reset operation is irreversible for all operations. Are you sure? [confirm]The following will be deleted as a part of factory reset:1: Crash info and logs2: User data, startup and running configuration3: All IOS images, including the current boot image4: OBFL logs5: User added rommon variables6: Data on Field Replaceable Units(USB/SSD/SATA)The system will reload to perform factory reset.It will take some time to complete and bring it to rommon.You will need to load IOS image using USB/TFTP from rommon afterthis operation is completed.DO NOT UNPLUG THE POWER OR INTERRUPT THE OPERATIONAre you sure you want to continue? [confirm]Chassis 1 reloading, reason - Factory Reset

Protection key not found9300L#Oct 25 09:53:05.740: %PMAN-5-EXITACTION: F0/0: pvp: Process manager is exiting: reloadfp action requestedOct 25 09:53:07.277: %PMAN-5-EXITACTION:vp: Process manager is exiting: rp processes exitwith reload switch code

Enabling factory reset for this reload cycleSwitch booted withtftp://10.5.40.45/cat9k_iosxe.BLD_POLARIS_DEV_LATEST_20191007_224933_V17_2_0_21_2.SSA.binSwitch booted via//10.5.40.45/cat9k_iosxe.BLD_POLARIS_DEV_LATEST_20191007_224933_V17_2_0_21_2.SSA.bin% FACTORYRESET - Started Cleaning Up...

% FACTORYRESET - Unmounting sd1% FACTORYRESET - Cleaning Up sd1 [0]% FACTORYRESET - erase In progress.. please wait for completion...% FACTORYRESET - write zero...



% FACTORYRESET - finish erase

% FACTORYRESET - Making File System sd1 [0]Discarding device blocks: doneCreating filesystem with 409600 4k blocks and 102544 inodesFilesystem UUID: fcf01664-7c6f-41ce-99f0-6df1d941701eSuperblock backups stored on blocks:32768, 98304, 163840, 229376, 294912


% FACTORYRESET - Mounting Back sd1 [0]% FACTORYRESET - Handling Mounted sd1% FACTORYRESET - Factory Reset Done for sd1

% FACTORYRESET - Unmounting sd3% FACTORYRESET - Cleaning Up sd3 [0]% FACTORYRESET - erase In progress.. please wait for completion...% FACTORYRESET - write zero...

Chassis 2 reloading, reason - Factory ResetDec 12 01:02:12.500: %PMAN-5-EXITACTION: F0/0: pvp: Process manager is exiting: reload fpaction requestedDeEnabling factory reset for this reload cycleSwitch booted withtftp://10.5.40.45/cat9k_iosxe.BLD_POLARIS_DEV_LATEST_20191007_224933_V17_2_0_21_2.SSA.binSwitch booted via//10.5.40.45/cat9k_iosxe.BLD_POLARIS_DEV_LATEST_20191007_224933_V17_2_0_21_2.SSA.bin% FACTORYRESET - Started Cleaning Up...% FACTORYRESET - Unmounting sd1% FACTORYRESET - Cleaning Up sd1 [0]% FACTORYRESET - erase In progress.. please wait for completion...% FACTORYRESET - write zero...

After this the switch will come to boot prompt. Then the customer has to boot the devicefrom TFTP.

Additional References for Performing a Factory ResetRelated Documents


Command ReferenceFor complete syntax and usage information for thecommands used in this chapter.

Feature History for Performing a Factory ResetThis table provides release and related information for features explained in this module.


Performing Factory ResetAdditional References for Performing a Factory Reset

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-12/command_reference/b_1612_9500_cr.html



Factory reset erases all the customer-specific datastored in a device and restores the device to itsoriginal configuration at the time of shipping



Factory ResetCisco IOS XE Fuji 16.8.1a

Performing a factory reset erases the contents ofremovable storage devices, such as SATA, SSD,or USB.

Factory Reset forRemovable StorageDevices

Cisco IOS XE Gibraltar16.12.1

A factory reset can be performed to erase all thecontent from the device securely with 3-passoverwrite. The secure 3-pass keyword wasintroduced.

Factory Reset with3-pass Overwrite


Support for factory reset on stacked devices andfor Cisco StackWise Virtual enabled devices isintroduced.

Enhanced Factory ResetOption for Stack andCisco StackWise Virtual



Performing Factory ResetFeature History for Performing a Factory Reset


C H A P T E R 16Configuring Secure Storage

• Information About Secure Storage, on page 301• Enabling Secure Storage , on page 301• Disabling Secure Storage , on page 302• Verifying the Status of Encryption, on page 302• Feature Information for Secure Storage, on page 303

Information About Secure StorageSecure Storage feature allows you to secure critical configuration information by encrypting it. It encryptsasymmetric key-pairs, pre-shared secrets, the type 6 password encryption key and certain credentials. Aninstance-unique encryption key is stored in the hardware trust anchor to prevent it from being compromised.

By default, this feature is enabled on devices that come with a hardware trust anchor. This feature is notsupported on devices that do not have hardware trust anchor.

Enabling Secure StorageBefore you begin

By default, this feature is enabled. Perform this procedure only after disabling secure storage on the device.

Procedure



Example:

Step 1


Enables the Secure Storage feature on yourdevice.

service private-config-encryption

Example:

Step 2

DEvice(config)# serviceprivate-config-encryption




Example:

Step 3

Device(config)# end

Encrypts the private-config file and saves thefile in an encrypted format.

write memory

Example:

Step 4


Disabling Secure StorageBefore you begin

To disable Secure Storage feature on a device, perform this task:

Procedure



Example:

Step 1


Disables the Secure Storage feature on yourdevice. When secure storage is disabled, all theuser data is stored in plain text in the NVRAM.

no service private-config-encryption

Example:Device(config)# no serviceprivate-config-encryption

Step 2


Example:

Step 3

Device(config)# end

Decrypts the private-config file and saves thefile in plane format.

write memory

Example:

Step 4


Verifying the Status of EncryptionUse the show parser encrypt file status command to verify the status of encryption. The following commandoutput indicates that the feature is available but the file is not encrypted. The file is in ‘plain text’ format.Device#show parser encrypt file statusFeature: EnabledFile Format: Plain Text


Configuring Secure StorageDisabling Secure Storage

Encryption Version: Ver1

Feature Information for Secure StorageThis table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless notedotherwise.


Secure Storage feature allows you to secure criticalconfiguration information by encrypting it. Itencrypts asymmetric key-pairs, pre-shared secrets,the type 6 password encryption key and certaincredentials. An instance-unique encryption key isstored in the hardware trust anchor to prevent itfrom being compromised.


Secure StorageCisco IOSXEEverest 16.5.1a


Secure StorageCisco IOS XE Fuji 16.8.1a

Use the Cisco Feature Navigator to find information about platform and software image support. To accessCisco Feature Navigator, go to http://www.cisco.com/go/cfn.


Configuring Secure StorageFeature Information for Secure Storage



Configuring Secure StorageFeature Information for Secure Storage

C H A P T E R 17Conditional Debug and Radioactive Tracing

• Topic 1, on page 305• Topic 2, on page 305• Introduction to Conditional Debugging, on page 305• Introduction to Radioactive Tracing, on page 306• How to Configure Conditional Debug and Radioactive Tracing, on page 306• Monitoring Conditional Debugging, on page 310• Configuration Examples for Conditional Debugging, on page 310• Additional References for Conditional Debugging and Radioactive Tracing, on page 311• Feature History for Conditional Debugging and Radioactive Tracing, on page 311

Topic 1

Topic 2

Topic 2.1

Introduction to Conditional DebuggingThe Conditional Debugging feature allows you to selectively enable debugging and logging for specificfeatures based on the set of conditions you define. This feature is useful in systems where a large number offeatures are supported.

Only Control Plane Tracing is supported.Note

The Conditional debug allows granular debugging in a network that is operating at a large scale with a largenumber of features. It allows you to observe detailed debugs for granular instances within the system. Thisis very useful when we need to debug only a particular session among thousands of sessions. It is also possibleto specify multiple conditions.


A condition refers to a feature or identity, where identity could be an interface, IP Address, or a MAC addressand so on.

MAC address is the only supported condition.Note

This is in contrast to the general debug command, that produces its output without discriminating on thefeature objects that are being processed. General debug command consumes a lot of system resources andimpacts the system performance.

Introduction to Radioactive TracingRadioactive tracing provides the ability to stitch together a chain of execution for operations of interest acrossthe system, at an increased verbosity level. This provides a way to conditionally print debug information (upto DEBUG Level or a specified level) across threads, processes and function calls.

The default level is DEBUG. The users cannot change this to another level.Note

The following features are enabled for Radioactive Tracing:

• IGMP Snooping

• Layer 2 Multicast

How to Configure Conditional Debug and Radioactive Tracing

Conditional Debugging and Radioactive TracingRadioactive Tracing when coupled with Conditional Debugging, enable us to have a single debug CLI todebug all execution contexts related to the condition. This can be done without being aware of the variouscontrol flow processes of the feature within the box and without having to issue debugs at these processesindividually.

Location of TracefilesBy default the tracefile logs will be generated for each process and saved into either the /tmp/rp/trace or/tmp/fp/trace directory. In this temp directory, the trace logs are written to files, which are of 1 MB size each.The directory can hold up to a maximum of 25 such files for a given process. When a tracefile in the /tmpdirectory reaches its 1MB limit or whatever size was configured for it during the boot time, it is rotated outto an archive location in the /crashinfo partition under tracelogs directory.

The /tmp directory holds only a single tracefile for a given process. Once the file reaches its file size limit itis rotated out to /crashinfo/tracelogs. In the archive directory, up to 25 files are accumulated, after which theoldest one is replaced by the newly rotated file from /tmp.


Conditional Debug and Radioactive TracingIntroduction to Radioactive Tracing

The tracefiles in the crashinfo directory are located in the following formats:

1. Process-name_Process-ID_running-counter.timestamp.gz

Example: IOSRP_R0-0.bin_0.14239.20151101234827.gz

2. Process-name_pmanlog_Process-ID_running-counter.timestamp.bin.gz

Example: wcm_pmanlog_R0-0.30360_0.20151028233007.bin.gz

Configuring Conditional DebuggingTo configure conditional debugging, follow the steps given below:

Procedure




Device> enable

Configures conditional debugging for theMACAddress specified.

debug platform condition mac {mac-address}

Example:

Step 2

Device# debug platform condition macbc16.6509.3314

Starts conditional debugging (this will startradioactive tracing if there is a match on one ofthe conditions above).

debug platform condition start

Example:Device# debug platform condition start

Step 3

Displays the current conditions set.show platform condition OR show debug

Example:

Step 4

Device# show platform conditionDevice# show debug

Stops conditional debugging (this will stopradioactive tracing).

debug platform condition stop

Example:

Step 5

Device# debug platform condition stop

(Optional) Displays historical logs of mergedtracefiles on the system. Filter on anycombination of number of days or location.

request platform software trace archive [last{number} days] [target {crashinfo: |flashinfo:}]

Example:

Step 6

# request platform software trace archivelast 2 days

(Optional) Displays logs merged from the latesttracefile. Filter on any combination of

show platform software trace [filter-binary| level | message]

Step 7


Conditional Debug and Radioactive TracingConfiguring Conditional Debugging


application condition, trace module name, andtrace level.

Example:Device# show platform software tracemessage • filter-binary - Filter the modules to be

collated

• level - Show trace levels

• message - Show trace message ringcontents

On the device:

• Available from IOS console inaddition to linux shell.

• Generates a file with mergedlogs.

• Displaysmerged logs only fromstaging area

Note

Clears all conditions.clear platform condition all

Example:

Step 8

Device# clear platform condition all

What to do next

The commands request platform software trace filter-binary and show platform software tracefilter-binary work in a similar way. The only difference is:

Note

• request platform software trace filter-binary - Sources the data from historical logs.

• show platform software trace filter-binary – Sources the data from the flash Temp directory.

Of these,mac_log <..date..> is the most important file, as it gives the messages for theMACwe are debugging.The command show platform software trace filter-binary also generates the same flash files, and also printsthe mac_log on the screen.

Radioactive Tracing for L2 MulticastTo identify a specific multicast receiver, specify the MAC address of the joiner or the receiver client, GroupMulticast IP address and Snooping VLAN. Additionally, enable the trace level for the debug. The debug levelwill provide detailed traces and better visibility into the system.

debug platform condition feature multicast controlplane mac client MAC address ip Group IPaddress vlan id level debug level


Conditional Debug and Radioactive TracingRadioactive Tracing for L2 Multicast

Recommended Workflow for Trace filesThe Recommended Workflow for Trace files is listed below:

1. To request the tracelogs for a specific time period.

EXAMPLE 1 day.

Use the command:

Device#request platform software trace archive last 1 day

2. The system generates a tar ball (.gz file) of the tracelogs in the location /flash:

3. Copy the file off the switch. By copying the file, the tracelogs can be used to work offline. For moredetails on copying files, see section below.

4. Delete the tracelog file (.gz) file from /flash: location. This will ensure enough space on the switch forother operations.

Copying tracefiles off the boxAn example of the tracefile is shown below:

Device# dir crashinfo:/tracelogsDirectory of crashinfo:/tracelogs/

50664 -rwx 760 Sep 22 2015 11:12:21 +00:00 plogd_F0-0.bin_0.gz50603 -rwx 991 Sep 22 2015 11:12:08 +00:00 fed_pmanlog_F0-0.bin_0.9558.20150922111208.gz50610 -rw- 11 Nov 2 2015 00:15:59 +00:00 timestamp50611 -rwx 1443 Sep 22 2015 11:11:31 +00:00auto_upgrade_client_sh_pmanlog_R0-.bin_0.3817.20150922111130.gz50669 -rwx 589 Sep 30 2015 03:59:04 +00:00 cfgwr-8021_R0-0.bin_0.gz50612 -rwx 1136 Sep 22 2015 11:11:46 +00:00 reflector_803_R0-0.bin_0.1312.20150922111116.gz50794 -rwx 4239 Nov 2 2015 00:04:32 +00:00 IOSRP_R0-0.bin_0.14239.20151101234827.gz50615 -rwx 131072 Nov 2 2015 00:19:59 +00:00 linux_iosd_image_pmanlog_R0-0.bin_0--More—

The trace files can be copied using one of the various options shown below:

Device# copy crashinfo:/tracelogs ?crashinfo: Copy to crashinfo: file systemflash: Copy to flash: file systemftp: Copy to ftp: file systemhttp: Copy to http: file systemhttps: Copy to https: file systemnull: Copy to null: file systemnvram: Copy to nvram: file systemrcp: Copy to rcp: file systemrunning-config Update (merge with) current system configurationscp: Copy to scp: file systemstartup-config Copy to startup configurationsyslog: Copy to syslog: file systemsystem: Copy to system: file systemtftp: Copy to tftp: file systemtmpsys: Copy to tmpsys: file system

The general syntax for copying onto a TFTP server is as follows:


Conditional Debug and Radioactive TracingRecommended Workflow for Trace files

Device# copy source: tftp:Device# copy crashinfo:/tracelogs/IOSRP_R0-0.bin_0.14239.20151101234827.gz tftp:Address or name of remote host []? 2.2.2.2Destination filename [IOSRP_R0-0.bin_0.14239.20151101234827.gz]?

It is important to clear the generated report or archive files off the switch in order to have flash space availablefor tracelog and other purposes.

Note

Monitoring Conditional DebuggingThe table shown below lists the various commands that can be used to monitor conditional debugging.

PurposeCommand

Displays the current conditions set.show platform condition

Displays the current debug conditions set.show debug

Displays logs merged from the latest tracefile.show platform software trace filter-binary

Displays historical logs of merged tracefiles on thesystem.

request platform software trace filter-binary

Configuration Examples for Conditional DebuggingThe following is an output example of the show platform condition command.Device# show platform conditionConditional Debug Global State: StopConditions Direction----------------------------------------------------------------------------------------------|---------MAC Address 0024.D7C7.0054 N/AFeature Condition Type Value-----------------------|-----------------------|--------------------------------Device#

The following is an output example of the show debug command.Device# show debugIOSXE Conditional Debug Configs:Conditional Debug Global State: StartConditions Direction----------------------------------------------------------------------------------------------|---------MAC Address 0024.D7C7.0054 N/AFeature Condition Type Value-----------------------|-----------------------|--------------------------------Packet Infra debugs:Ip Address Port------------------------------------------------------|----------Device#

The following is a sample of the debug platform condition stop command.


Conditional Debug and Radioactive TracingMonitoring Conditional Debugging

Device# debug platform condition stopConditional Debug Global State: Stop

Additional References for Conditional Debugging andRadioactive Tracing

Related Documents



Feature History for Conditional Debugging and RadioactiveTracing




The Conditional Debugging feature allows you toselectively enable debugging and logging forspecific features based on the set of conditions youdefine.


Conditional Debuggingand Radioactive Tracing



Conditional Debuggingand Radioactive Tracing




Conditional Debug and Radioactive TracingAdditional References for Conditional Debugging and Radioactive Tracing



Conditional Debug and Radioactive TracingFeature History for Conditional Debugging and Radioactive Tracing

C H A P T E R 18Consent Token

• Restrictions for Consent Token, on page 313• Information About Consent Token, on page 313• Consent Token Authorization Process for System Shell Access, on page 314• Feature History for Consent Token, on page 315

Restrictions for Consent Token• Consent Token is enabled by default and cannot be disabled.

• After the challenge has been sent from the device, the response needs to be entered within 30 minutes.If it is not entered, the challenge expires and a new challenge must be requested.

• A single response is valid only for one time for a corresponding challenge.

• The maximum authorization timeout for root-shell access is seven days.

• After a switchover event, all the existing Consent Token based authorizations would be treated as expired.You must then restart a fresh authentication sequence for service access.

• Only Cisco authorized personnel have access to Consent Token response generation on Cisco's challengesigning server.

• In System Shell access scenario, exiting the shell does not terminate authorization until the authorizationtimeout occurs or the shell authorization is explicitly terminated by the consent token terminateauthorization command.

We recommend that you force terminate System Shell authorization by explicitly issuing the ConsentToken terminate command once the purpose of System Shell access is complete.

Information About Consent TokenConsent Token is a security feature that is used to authenticate the network administrator of an organizationto access system shell with mutual consent from the network administrator and Cisco Technical AssistanceCentre (Cisco TAC).

In some debugging scenarios, the Cisco TAC engineer may have to collect certain debug information orperform live debug on a production system. In such cases, the Cisco TAC engineer will ask you (the network


administrator) to access system shell on your device. Consent Token is a lock, unlock and re-lock mechanismthat provides you with privileged, restricted, and secure access to the system shell.

When you request access to system shell, you need to be authorized. You must first run the command togenerate a challenge using the Consent Token feature on your device. The device generates a unique challengeas output. Youmust then copy this challenge string and send it to a Cisco Authorized Personnel through e-mailor Instant Message.

The Cisco Authorized Personnel processes the unique challenge string and generates a response that is unique.The Cisco Authorized Personnel copies this response string and sends it to you through e-mail or InstantMessage.

You must then input this response string into your device. If the challenge-response pair match, you areauthorized to access system shell. If not, an error is displayed and you are required to repeat the authenticationprocess.

Once you gain access to system shell, collect the debug information required by the Cisco TAC engineer.After you are done accessing system shell, terminate the session and continue the debugging process.Figure 6: Consent Token

Consent Token Authorization Process for System Shell AccessThis section describes the process of Consent Token authorization to access system shell:

Procedure

Step 1 Generate a challenge requesting for access to system shell for the specified time period.

Example:Device# request consent-token generate-challenge shell-access auth-timeout 900zSSdrAAAAQEBAAQAAAABAgAEAAAAAAMACH86csUhmDl0BAAQ0Fvd7CxqRYUeoD7B4AwW7QUABAAAAG8GAAhDVEFfREVNTwcAGENUQV9ERU1PX0NUQV9TSUdOSU5HX0tFWQgAC0M5ODAwLUNMLUs5CQALOVpQUEVESE5KRkI=Device#*Jan 18 02:47:06.733: %CTOKEN-6-AUTH_UPDATE: Consent Token Update (challenge generationattempt: Shell access 0).

Send a request for a challenge using the request consent-token generate-challenge shell-accesstime-validity-slot command. The duration in minutes for which you are requesting access to system shell isthe time-slot-period.

In this example, the time period is 900 minutes after which the session expires.

The device generates a unique challenge as output. This challenge is a base-64 format string.


Consent TokenConsent Token Authorization Process for System Shell Access

Step 2 Send the challenge string to a Cisco Authorized Personnel.

Send the challenge string generated by the device to a Cisco Authorized Personnel through e-mail or InstantMessage.

The Cisco Authorized Personnel processes the unique challenge string and generates a response. The responseis also a base-64 string that is unique. The Cisco Authorized Personnel copies this response string and sendsit to you through e-mail or Instant Message.

Step 3 Input the response string onto your device.

Example:

Device# request consent-token accept-response shell-accesslR1y2AAUKFcAAAABAAABYlVDZ2d6MnkxL3JxTTJSSC9FZE5aWnRSa1FteS9POWZqRUNlTk1LL3VoUWxTc0FsOHl5OW5vckQ4YWVOelpZZGYNCkNpWHY0b1B4Q000UGs1M2ZEMUpoazBCUkYyM3FML1A2ckVjM3paR05wdHcvck95UVduYUVuTnA5bnhIZ09CNE0NCjBmVjh4b3I4TzE3aHNMaU1JeDQ3YWtkdE9Xb0JhTmlzMVRweFBVZE93QUxvZDVEbmo4UEtiR01VVUM5b3lZWXQNCjFIRnJPbXczcmpsZTJHUnIxOWJUNkZLTWlpZ0ZmbENVRWo4K2xoaXgxS0ZtdDVPcDBYczVPSU43L0dSK1pGTnoNCmYxTUtjaW1OWDhWTTNLQ0ZWNURHU3pIenF1UFBxZVNDU0xLNkhXUTFROTlFMXJVakdlZ1NqTWxnNFlySkJYL0wNCnpaTDVVRnVFdWpRWDdDUThIdkVPM1E9PQ==% Consent token authorization success*Jan 18 02:51:37.807: %CTOKEN-6-AUTH_UPDATE: Consent Token Update (authentication success:Shell access 0).

Device# request platform software system shellActivity within this shell can jeopardize the functioning of the system.Are you sure you want to continue? [y/n] yDevice#*Jan 18 02:56:59.714: %CTOKEN-6-AUTH_UPDATE: Consent Token Update (authorization for Shellaccess 0 will expire in 10 min).

Input the response string sent to you by the Cisco Authorized Personnel using the request consent-tokenaccept-response shell-access response-string command.

If the challenge-response pair match, you are authorized to access system shell. If the challenge-response pairdo not match, an error is displayed and you are required to repeat steps 1 to 3.

After you are authorized, you can access system shell for the requested time-slot.

The device sends a message when there is ten minutes remaining of the authorization session.

Step 4 Terminate the session.

Example:Device# request consent-token terminate-auth% Consent token authorization termination success

Device#*Jan 18 23:33:02.937: %CTOKEN-6-AUTH_UPDATE: Consent Token Update (terminate authentication:Shell access 0).Device#

When you finish accessing system shell, you can end the session using the request consent-tokenterminate-auth command. You can also force terminate the session prior to the authorization timeout usingthis command. The session also gets terminated automatically when the requested time slot expires.

Feature History for Consent TokenThis table provides release and related information for features explained in this module.



Consent TokenFeature History for Consent Token


Consent Token is a security feature that is used toauthenticate the network administrator of anorganization to access system shell with mutualconsent from the network administrator and CiscoTechnical Assistance Centre (Cisco TAC).



Consent TokenCisco IOS XE Gibraltar16.11.1



Consent TokenFeature History for Consent Token


C H A P T E R 19Troubleshooting the Software Configuration

This chapter describes how to identify and resolve software problems related to the Cisco IOS software onthe switch. Depending on the nature of the problem, you can use the command-line interface (CLI), DeviceManager, or Network Assistant to identify and solve problems.

Additional troubleshooting information, such as LED descriptions, is provided in the hardware installationguide.

• Information About Troubleshooting the Software Configuration, on page 317• How to Troubleshoot the Software Configuration, on page 324• Verifying Troubleshooting of the Software Configuration, on page 338• Scenarios for Troubleshooting the Software Configuration, on page 341• Configuration Examples for Troubleshooting Software, on page 343• Additional References for Troubleshooting Software Configuration, on page 345• Feature History for Troubleshooting Software Configuration, on page 345

Information About Troubleshooting the Software Configuration

Software Failure on a SwitchSwitch software can be corrupted during an upgrade by downloading the incorrect file to the switch, and bydeleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), andthere is no connectivity.Follow the steps described in the Recovering from a Software Failure, on page 324section to recover from a software failure.

Lost or Forgotten Password on a DeviceThe default configuration for the device allows an end user with physical access to the device to recover froma lost password by interrupting the boot process during power-on and by entering a new password. Theserecovery procedures require that you have physical access to the device.


On these devices, a system administrator can disable some of the functionality of this feature by allowing anend user to reset a password only by agreeing to return to the default configuration. If you are an end usertrying to reset a password when password recovery has been disabled, a status message reminds you to returnto the default configuration during the recovery process.

Note

You cannot recover encryption password key, when CiscoWLC configuration is copied from one CiscoWLCto another (in case of an RMA).

Note

Follow the steps described in the section Recovering from a Lost or Forgotten Password, on page 328 to recoverfrom a lost or forgotten password.

PingThe device supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo requestpacket to an address and waits for a reply. Ping returns one of these responses:

• Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending onnetwork traffic.

• Destination does not respond—If the host does not respond, a no-answer message is returned.

• Unknown host—If the host does not exist, an unknown host message is returned.

• Destination unreachable—If the default gateway cannot reach the specified network, adestination-unreachable message is returned.

• Network or host unreachable—If there is no entry in the route table for the host or network, a networkor host unreachable message is returned.

Refere the section Executing Ping, on page 335 to understand how ping works.

Layer 2 TracerouteThe Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a sourcedevice to a destination device. Layer 2 traceroute supports only unicast source and destinationMAC addresses.Traceroute finds the path by using theMAC address tables of the devices in the path. When the Device detectsa device in the path that does not support Layer 2 traceroute, the Device continues to send Layer 2 trace queriesand lets them time out.

The Device can only identify the path from the source device to the destination device. It cannot identify thepath that a packet takes from source host to the source device or from the destination device to the destinationhost.

Layer 2 Traceroute Guidelines• Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 tracerouteto function properly, do not disable CDP.


Troubleshooting the Software ConfigurationPing

If any devices in the physical path are transparent to CDP, the switch cannot identify the path throughthese devices.

• A device is reachable from another device when you can test connectivity by using the ping privilegedEXEC command. All devices in the physical path must be reachable from each other.

• The maximum number of hops identified in the path is ten.

• You can enter the traceroute mac or the traceroute mac ip privileged EXEC command on a devicethat is not in the physical path from the source device to the destination device. All devices in the pathmust be reachable from this switch.

• The traceroute mac command output shows the Layer 2 path only when the specified source anddestination MAC addresses belong to the same VLAN. If you specify source and destination MACaddresses that belong to different VLANs, the Layer 2 path is not identified, and an error message appears.

• If you specify a multicast source or destination MAC address, the path is not identified, and an errormessage appears.

• If the source or destination MAC address belongs to multiple VLANs, you must specify the VLAN towhich both the source and destination MAC addresses belong. If the VLAN is not specified, the path isnot identified, and an error message appears.

• The traceroute mac ip command output shows the Layer 2 path when the specified source and destinationIP addresses belong to the same subnet. When you specify the IP addresses, the device uses the AddressResolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and theVLAN IDs.

• If an ARP entry exists for the specified IP address, the device uses the associated MAC address andidentifies the physical path.

• If an ARP entry does not exist, the device sends an ARP query and tries to resolve the IP address.If the IP address is not resolved, the path is not identified, and an error message appears.

• When multiple devices are attached to one port through hubs (for example, multiple CDP neighbors aredetected on a port), the Layer 2 traceroute feature is not supported. When more than one CDP neighboris detected on a port, the Layer 2 path is not identified, and an error message appears.

• This feature is not supported in Token Ring VLANs.

• Layer 2 traceroute opens a listening socket on the User Datagram Protocol (UDP) port 2228 that can beaccessed remotely with any IPv4 address, and does not require any authentication. This UDP socketallows to read VLAN information, links, presence of particular MAC addresses, and CDP neighborinformation, from the device. This information can be used to eventually build a complete picture of theLayer 2 network topology.

• Layer 2 traceroute is enabled by default and can be disabled by running the no l2 traceroute commandin global configuration mode. To re-enable Layer 2 traceroute, use the l2 traceroute command in globalconfiguration mode.

IP TracerouteYou can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis.The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passesthrough on the way to the destination.


Troubleshooting the Software ConfigurationIP Traceroute

Your Device can participate as the source or destination of the traceroute privileged EXEC command andmight or might not appear as a hop in the traceroute command output. If the Device is the destination of thetraceroute, it is displayed as the final destination in the traceroute output. Intermediate devices do not showup in the traceroute output if they are only bridging the packet from one port to another within the same VLAN.However, if the intermediate Device is a multilayer Device that is routing a particular packet, this deviceshows up as a hop in the traceroute output.

The traceroute privileged EXEC command uses the Time To Live (TTL) field in the IP header to causerouters and servers to generate specific return messages. Traceroute starts by sending a User Datagram Protocol(UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, itdrops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded messageto the sender. Traceroute finds the address of the first hop by examining the source address field of the ICMPtime-to-live-exceeded message.

To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrementsthe TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discardsthe datagram, and returns the time-to-live-exceeded message to the source. This process continues until theTTL is incremented to a value large enough for the datagram to reach the destination host (or until the maximumTTL is reached).

To learn when a datagram reaches its destination, traceroute sets the UDP destination port number in thedatagram to a very large value that the destination host is unlikely to be using.When a host receives a datagramdestined to itself containing a destination port number that is unused locally, it sends an ICMP port-unreachableerror to the source. Because all errors except port-unreachable errors come from intermediate hops, the receiptof a port-unreachable error means that this message was sent by the destination port.

Go to Example: Performing a Traceroute to an IP Host, on page 344 to see an example of IP traceroute process.

Debug Commands

Because debugging output is assigned high priority in the CPU process, it can render the system unusable.For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessionswith Cisco technical support staff. It is best to use debug commands during periods of lower network trafficand fewer users. Debugging during these periods decreases the likelihood that increased debug commandprocessing overhead will affect system use.

Caution

All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments.

System ReportSystem reports or crashinfo files save information that helps Cisco technical support representatives to debugproblems that caused the Cisco IOS image to fail (crash). It is necessary to quickly and reliably collect criticalcrash information with high fidelity and integrity. Further, it is necessary to collect this information and bundleit in a way that it can be associated or identified with a specific crash occurrence.

System reports are generated in these situations:

• In case of a switch failure—A system report is generated on the switch that failed

• In case of a switchover—System reports are generated only on high availability (HA) member switches.reports are not generated for non-HA members.


Troubleshooting the Software ConfigurationDebug Commands

The system does not generate reports in case of a reload.

During a process crash, the following is collected locally from the switch:

1. Full process core

2. Tracelogs

3. IOS syslogs (not guaranteed in case of non-active crashes)

4. System process information

5. Bootup logs

6. Reload logs

7. Certain types of /proc information

This information is stored in separate files which are then archived and compressed into one bundle. Thismakes it convenient to get a crash snapshot in one place, and can be then moved off the box for analysis. Thisreport is generated before the switch goes down to rommon/bootloader.

Except for the full core and tracelogs, everything else is a text file.

Use the request platform software process core fed active command to generate the core dump.h2-macallan1# request platform software process core fed activeProcess : fed main event (28155) encountered fatal signal 6Process : fed main event stack :

SUCCESS: Core file generated.

h2-macallan1#dir bootflash:coreDirectory of bootflash:/core/

178483 -rw- 1 May 23 2017 06:05:17 +00:00 .callhome194710 drwx 4096 Aug 16 2017 19:42:33 +00:00 modules178494 -rw- 10829893 Aug 23 2017 09:46:23 +00:00h2-macallan1_RP_0_fed_28155_20170823-094616-UTC.core.gz

Crashinfo Files

By default the system report file will be generated and saved into the /crashinfo directory. Ifit cannot be savedto the crashinfo partition for lack of space, then it will be saved to the /flash directory.

To display the files, enter the dir crashinfo: command. The following is sample output of a crashinfo directory:Switch#dir crashinfo:Directory of crashinfo:/

23665 drwx 86016 Jun 9 2017 07:47:51 -07:00 tracelogs11 -rw- 0 May 26 2017 15:32:44 -07:00 koops.dat12 -rw- 4782675 May 29 2017 15:47:16 -07:00 system-report_1_20170529-154715-PDT.tar.gz1651507200 bytes total (1519386624 bytes free)

System reports are located in the crashinfo directory in the following format:system-report_[switch number]_[date]-[timestamp]-UTC.gz

After a switch crashes, check for a system report file. The name of the most recently generated system reportfile is stored in the last_systemreport file under the crashinfo directory. The system report and crashinfo filesassist TAC while troubleshooting the issue.


Troubleshooting the Software ConfigurationSystem Report

The system report generated can be further copied using TFTP, HTTP and few other options.Switch#copy crashinfo: ?crashinfo: Copy to crashinfo: file systemflash: Copy to flash: file systemftp: Copy to ftp: file systemhttp: Copy to http: file systemhttps: Copy to https: file systemnull: Copy to null: file systemnvram: Copy to nvram: file systemrcp: Copy to rcp: file systemrunning-config Update (merge with) current system configurationscp: Copy to scp: file systemstartup-config Copy to startup configurationsyslog: Copy to syslog: file systemsystem: Copy to system: file systemtftp: Copy to tftp: file systemtmpsys: Copy to tmpsys: file system

The general syntax for copying onto TFTP server is as follows:Switch#copy crashinfo: tftp:Source filename [system-report_1_20150909-092728-UTC.gz]?Address or name of remote host []? 1.1.1.1Destination filename [system-report_1_20150909-092728-UTC.gz]?

The tracelogs can be collected by issuing a trace archive command. This command provides time periodoptions. The command syntax is as follows:Switch#request platform software trace archive ?last Archive trace files of last x daystarget Location and name for the archive file

The tracelogs stored in crashinfo: or flash: directory from within the last 3650 days can be collected.Switch# request platform software trace archive last ?<1-3650> Number of days (1-3650)Switch#request platform software trace archive last 3650 days target ?crashinfo: Archive file name and locationflash: Archive file name and location

It is important to clear the system reports or trace archives from flash or crashinfo directory once they arecopied out, in order to have space available for tracelogs and other purposes.

Note

In a complex network it is difficult to track the origin of a system-report file. This task is made easier if thesystem-report files are uniquely identifiable. Starting with the Cisco IOS XE Amsterdam 17.3.x release, thehostname will be prepended to the system-report file name making the reports uniquely identifiable.

The following example displays system-report files with the hostname prepended:HOSTNAME#dir flash:/core | grep HOSTNAME40486 -rw- 108268293 Oct 21 2019 16:07:50 -04:00HOSTNAME-system-report_20191021-200748-UTC.tar.gz40487 -rw- 17523 Oct 21 2019 16:07:56 -04:00HOSTNAME-system-report_20191021-200748-UTC-info.txt40484 -rw- 48360998 Oct 21 2019 16:55:24 -04:00HOSTNAME-system-report_20191021-205523-UTC.tar.gz40488 -rw- 14073 Oct 21 2019 16:55:26 -04:00HOSTNAME-system-report_20191021-205523-UTC-info.txt


Troubleshooting the Software ConfigurationSystem Report

Onboard Failure Logging on the SwitchYou can use the onboard failure logging (OBFL) feature to collect information about the device. The informationincludes uptime, temperature, and voltage information and helps Cisco technical support representatives totroubleshoot device problems. We recommend that you keep OBFL enabled and do not erase the data storedin the flash memory.

By default, OBFL is enabled. It collects information about the device and small form-factor pluggable (SFP)modules. The device stores this information in the flash memory:

• CLI commands—Record of the OBFL CLI commands that are entered on a standalone device.

• Environment data—Unique device identifier (UDI) information for a standalone device and for all theconnected FRU devices: the product identification (PID), the version identification (VID), and the serialnumber.

• Message—Record of the hardware-related system messages generated by a standalone device .

• Power over Ethernet (PoE)—Record of the power consumption of PoE ports on a standalone device .

This feature is not supported on the C9500-12Q, C9500-16X, C9500-24Q,C9500-40X models of the Cisco Catalyst 9500 Series Switches.

Note

• Temperature—Temperature of a standalone deicev .

• Uptime data—Time when a standalone device starts, the reason the device restarts, and the length oftime the device has been running since it last restarted.

• Voltage—System voltages of a standalone device .

You should manually set the system clock or configure it by using Network Time Protocol (NTP).

When the device is running, you can retrieve the OBFL data by using the show logging onboard privilegedEXEC commands. If the device fails, contact your Cisco technical support representative to find out how toretrieve the data.

When an OBFL-enabled device is restarted, there is a 10-minute delay before logging of new data begins.

Fan FailuresBy default, the feature is disabled. When more than one of the fans fails in a field-replaceable unit (FRU) orin a power supply, the device does not shut down, and this error message appears:

Multiple fan(FRU/PS) failure detected. System may get overheated. Change fan quickly.

The device might overheat and shut down.

To enable the fan failures feature, enter the system env fan-fail-action shut privileged EXEC command. Ifmore than one fan in the device fails, the device automatically shuts down, and this error message appears:

Faulty (FRU/PS) fans detected, shutting down system!


Troubleshooting the Software ConfigurationOnboard Failure Logging on the Switch

After the first fan shuts down, if the device detects a second fan failure, the device waits for 20 seconds beforeit shuts down.

To restart the device, it must be power cycled.

Possible Symptoms of High CPU UtilizationExcessive CPU utilization might result in these symptoms, but the symptoms might also result from othercauses, some of which are the following:

• Spanning tree topology changes

• EtherChannel links brought down due to loss of communication

• Failure to respond to management requests (ICMP ping, SNMP timeouts, slow Telnet or SSH sessions)

• UDLD flapping

• IP SLAs failures because of SLAs responses beyond an acceptable threshold

• DHCP or IEEE 802.1x failures if the switch does not forward or respond to requests

How to Troubleshoot the Software Configuration

Recovering from a Software Failure

Before you begin

This recovery procedure requires that you have physical access to the switch.

This procedure uses boot loader commands and TFTP to recover from a corrupted or incorrect image file.

Set the baud rate of the terminal to match the the default rate of 9600 bits per second [bps] of the switchconsole port. If the baud rate is set to a value other than 9600 bps, access to the console will be lost until thespeed is set back to the dafault.

Procedure

Step 1 From your PC, download the software image file (image.bin) from Cisco.com.Step 2 Load the software image to your TFTP server.Step 3 Connect your PC to the switch Ethernet management port.Step 4 Unplug the switch power cord.Step 5 Press the Mode button, and at the same time, reconnect the power cord to the switch.Step 6 From the bootloader prompt, ensure that you can ping your TFTP server.

a) Set switch IP address: set IP_ADDRESS ip_address

Example:switch: set IP_ADDRESS 192.0.2.123


Troubleshooting the Software ConfigurationPossible Symptoms of High CPU Utilization

b) Set switch subnet mask: set IP_SUBNET_MASK subnet_mask

Example:switch: set IP_SUBNET_MASK 255.255.255.0

c) Set default gateway: set DEFAULT_GATEWAY ip_address

Example:switch: set DEFAULT_ROUTER 192.0.2.1

d) Verify that you can ping the TFTP server switch: ping ip_address_of_TFTP_server

Example:switch: ping 192.0.2.15ping 192.0.2.1 with 32 bytes of data...Host 192.0.2.1 is alive.switch:

Step 7 Choose one of the following:

• From the bootloader prompt, initiate the boot tftp command that assists you in recovering the softwareimage on your switch.switch: boot tftp://10.168.0.1/cat9k/cat9k_iosxe.2017-08-25_09.41.binattempting to boot from [tftp://10.168.0.1/cat9k/cat9k_iosxe.2017-08-25_09.41.SSA.bin]

interface : eth0macaddr : E4:AA:5D:59:7B:44ip : 10.168.247.10netmask : 10.255.0.0gateway : 10.168.0.1server : 10.168.0.1file : cat9k/cat9k_iosxe.2017-08-25_09.41.bin!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!




Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.6.1RELEASE SOFTWARE (fc2)Copyright (c) 1986-2017 by Cisco Systems, Inc.Compiled Thu 24-Aug-17 13:23 by mcpre


Troubleshooting the Software ConfigurationRecovering from a Software Failure






cisco C9XXX (X86) processor (revision V00) with 869398K/6147K bytes of memory.Processor board ID FXS1939Q3LZ144 Gigabit Ethernet interfaces16 Ten Gigabit Ethernet interfaces4 Forty Gigabit Ethernet interfaces32768K bytes of non-volatile configuration memory.15958516K bytes of physical memory.11161600K bytes of Bootflash at bootflash:.1638400K bytes of Crash Files at crashinfo:.0K bytes of WebUI ODM Files at webui:.



• Install the software from the recovery partition. This recovery image is required for recovery using theemergency-install feature.

a) Verify that you have a recovery image in your recovery partition (sda9:).

Example:

switch: dir sda9:

Size Attributes Name- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



21680202 -rw- cat9k-recovery.SSA.bin- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

b) From the bootloader prompt, initiate the emergency-install feature that assists you in recovering thesoftware image on your switch. WARNING: The emergency install command will erase your entire bootflash!

Example:switch: emergency-installtftp://10.255.254.254/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.binWARNING: The system partition (bootflash:) will be erased during the system recoveryinstall process.Are you sure you want to proceed? [y] y/n [n]: yStarting system recovery(tftp://10.255.254.254/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin) ...Attempting to boot from [sda9:cat9k-recovery.SSA.bin]Located cat9k-recovery.SSA.bin###########################################################################################################################################

Warning: ignoring ROMMON var "BOOT_PARAM"

PLATFORM_TYPE C9X00 speed 9600

Booting Recovery Image 16.5.1a

Initiating Emergency Installation of bundletftp://10.255.254.254/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin

Downloading bundletftp://10.255.254.254/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin...curl_vrf=2% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed100 485M 100 485M 0 0 5143k 0 0:01:36 0:01:36 --:--:-- 5256k100 485M 100 485M 0 0 5143k 0 0:01:36 0:01:36 --:--:-- 5143k

Validating bundle tftp://10.255.254.254/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin...Installing bundletftp://10.255.254.254/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin....Verifying bundle tftp://10.255.254.254/auto/tftpboot/X86/cat9k_iosxe.16.05.01a.SPA.bin...Package cat9k-cc_srdriver.16.05.01a.SPA.pkg/temp//stage/cat9k-cc_srdriver.16.05.01a.SPA.pkg is Digitally SignedPackage cat9k-espbase.16.05.01a.SPA.pkg /temp//stage/cat9k-espbase.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-guestshell.16.05.01a.SPA.pkg /temp//stage/cat9k-guestshell.16.05.01a.SPA.pkgis Digitally SignedPackage cat9k-rpbase.16.05.01a.SPA.pkg /temp//stage/cat9k-rpbase.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-sipbase.16.05.01a.SPA.pkg /temp//stage/cat9k-sipbase.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-sipspa.16.05.01a.SPA.pkg /temp//stage/cat9k-sipspa.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-srdriver.16.05.01a.SPA.pkg /temp//stage/cat9k-srdriver.16.05.01a.SPA.pkgis Digitally SignedPackage cat9k-webui.16.05.01a.SPA.pkg /temp//stage/cat9k-webui.16.05.01a.SPA.pkg isDigitally SignedPackage cat9k-wlc.16.05.01a.SPA.pkg /temp//stage/cat9k-wlc.16.05.01a.SPA.pkg is DigitallySignedPackage /cat9k-rpboot.16.05.01a.SPA.pkg /temp//rpboot/cat9k-rpboot.16.05.01a.SPA.pkg isDigitally Signed



Preparing flash....Flash filesystem unmounted successfully /dev/sdb3Syncing device....Emergency Install successful... RebootingWill reboot now


System Bootstrap, Version 16.5.2r, RELEASE SOFTWARE (P)Compiled Wed 05/31/2017 15:58:35.22 by rel


Last reset cause: SoftwareReloadC9X00 platform with 8388608 Kbytes of main memory

Alternatively, you can copy the image from TFTP to local flash through Telnet or Management port and thenboot the device from local flash.

Recovering from a Lost or Forgotten PasswordThe default configuration for the switch allows an end user with physical access to the switch to recover froma lost password by interrupting the boot process during power-on and by entering a new password. Theserecovery procedures require that you have physical access to the switch.

On these switches, a system administrator can disable some of the functionality of this feature by allowingan end user to reset a password only by agreeing to return to the default configuration. If you are an end usertrying to reset a password when password recovery has been disabled, a status message shows this during therecovery process.

Note

Procedure

Step 1 Connect a terminal or PC to the switch.

• Connect a terminal or a PC with terminal-emulation software to the switch console port. If you arerecovering the password for a switch stack, connect to the console port of the active switch.

• Connect a PC to the Ethernet management port. If you are recovering the password for a switch stack,connect to the Ethernet management port of a stack member.

Step 2 Set the line speed on the emulation software to 9600 baud.Step 3 Power off the standalone switch or the entire switch stack.Step 4 Note Cisco Catalyst 9500 Series Switches- High Performance do not have a Mode button. You can exit

the configuration dialog at any prompt using Ctrl-C to kill the bootup sequence.


Troubleshooting the Software ConfigurationRecovering from a Lost or Forgotten Password

For Cisco Catalyst 9500 Series Switches, reconnect the power cord to the switch or the active switchAs soonas the System LED blinks, press and release the Mode button 2-3 times. The switch enters the ROMMONmode.

The following console messages are displayed during the reload:Initializing Hardware...

System Bootstrap, Version 16.6.1r [FC1], RELEASE SOFTWARE (P)Compiled Sat 07/15/2017 8:31:57.39 by rel


Last reset cause: SoftwareReload <---- Start pressing and releasing the mode buttonC9500-12Q platform with 8388608 Kbytes of main memory

attempting to boot from [flash:packages.conf]

Located file packages.conf######################################################################

Unable to load cat9k-rpboot.16.06.02b.SPA.pkgFailed to boot file flash:user/packages.confERROR: failed to boot from flash:packages.conf (Aborted) <--- will abortswitch:switch: <---- ROMMON


System Bootstrap, Version 16.8.1r [FC4], RELEASE SOFTWARE (P)Compiled 20-03-2018 15:12:03.01 by rel

Current ROMMON image : Primary Rommon Image

Last reset cause:PowerOnC9500-48Y4C platform with 16777216 Kbytes of main memory

Preparing to autoboot. [Press Ctrl-C to interrupt] <<<<<<<<< Break sequence to be pressedto get to rommon

Proceed to the Procedure with Password Recovery Enabled section, and follow the steps.

Step 5 After recovering the password, reload the switch or the active switch.

On a switch:Switch> reloadProceed with reload? [confirm] y

On the active switch:Switch> reload slot <stack-active-member-number>Proceed with reload? [confirm] y

Step 6 Power on the remaining switches in the stack.


Troubleshooting the Software ConfigurationRecovering from a Lost or Forgotten Password

Procedure with Password Recovery Enabled

Procedure

Step 1 Ignore the startup configuration with the following command:

Device: SWITCH_IGNORE_STARTUP_CFG=1

Step 2 Boot the switch with the packages.conf file from flash.

Device: boot flash:packages.conf

Step 3 Terminate the initial configuration dialog by answering No.

Would you like to enter the initial configuration dialog? [yes/no]: No

Step 4 At the switch prompt, enter privileged EXEC mode.

Device> enableDevice#

Step 5 Copy the startup configuration to running configuration.

Device# copy startup-config running-config Destination filename [running-config]?

Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you canchange the password.

Step 6 Enter global configuration mode and change the enable password.

Device# configure terminalDevice(config)# enable secret password

Step 7 Return to privileged EXEC mode:Device(config)# exitDevice#

Step 8 Write the running configuration to the startup configuration file.

Device# copy running-config startup-config

Step 9 Confirm that manual boot mode is enabled.

Device# show boot


Troubleshooting the Software ConfigurationProcedure with Password Recovery Enabled

BOOT variable = flash:packages.conf;Manual Boot = yesEnable Break = yes

Step 10 Reload the device.

Device# reload

Step 11 Set the SWITCH_IGNORE_STARTUP_CFG parameter to 0.

Device(config)# no system ignore startupconfig switch allDevice(config)# endDevice# write memory

Step 12 Boot the device with the packages.conf file from flash.

Device: boot flash:packages.conf

Step 13 After the device boots up, disable manual boot on the device.

Device(config)# no boot manual

Procedure with Password Recovery DisabledIf the password-recovery mechanism is disabled, this message appears:

The password-recovery mechanism has been triggered, butis currently disabled. Access to the boot loader promptthrough the password-recovery mechanism is disallowed atthis point. However, if you agree to let the system bereset back to the default system configuration, accessto the boot loader prompt can still be allowed.

Would you like to reset the system back to the default configuration (y/n)?

Returning the device to the default configuration results in the loss of all existing configurations.We recommendthat you contact your system administrator to verify if there are backup device and VLAN configuration files.

Caution

• If you enter y (yes), the configuration file in flash memory and the VLAN database file are deleted.Whenthe default configuration loads, you can reset the password.

Procedure

Step 1 Choose to continue with password recovery and delete the existing configuration:


Troubleshooting the Software ConfigurationProcedure with Password Recovery Disabled

Would you like to reset the system back to the default configuration (y/n)? Y

Step 2 Display the contents of flash memory:Device: dir flash:

The device file system appears.

Directory of flash:/...i'15494 drwx 4096 Jan 1 2000 00:20:20 +00:00 kirch15508 -rw- 258065648 Sep 4 2013 14:19:03 +00:00cat9k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin162196684

Step 3 Boot up the system:Device: boot

You are prompted to start the setup program. To continue with password recovery, enter N at the prompt:

Continue with the configuration dialog? [yes/no]: N

Step 4 At the device prompt, enter privileged EXEC mode:Device> enable

Step 5 Enter global configuration mode:Device# configure terminal

Step 6 Change the password:Device(config)# enable secret password

The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive,and allows spaces but ignores leading spaces.

Step 7 Return to privileged EXEC mode:Device(config)# exitDevice#

Before continuing to Step 9, power on any connected stack members and wait until they havecompletely initialized.

Note

Step 8 Write the running configuration to the startup configuration file:


Troubleshooting the Software ConfigurationProcedure with Password Recovery Disabled

Device# copy running-config startup-config

The new password is now in the startup configuration.

Step 9 You must now reconfigure the device. If the system administrator has the backup device and VLANconfiguration files available, you should use those.

Preventing Switch Stack ProblemsTo prevent switch stack problems, you should do the following:

• Make sure that the device that you add to or remove from the switch stack are powered off. For allpowering considerations in switch stacks, see the “Switch Installation” chapter in the hardware installationguide.

• Press the Mode button on a stack member until the Stack mode LED is on. The last two port LEDs onthe device should be green. Depending on the device model, the last two ports are either 10/100/1000ports or small form-factor pluggable (SFP) module. If one or both of the last two port LEDs are not green,the stack is not operating at full bandwidth.

• We recommend using only one CLI session when managing the switch stack. Be careful when usingmultiple CLI sessions to the active switch . Commands that you enter in one session are not displayedin the other sessions. Therefore, it is possible that you might not be able to identify the session fromwhich you entered a command.

• Manually assigning stack member numbers according to the placement of the device in the stack canmake it easier to remotely troubleshoot the switch stack. However, you need to remember that the devicehave manually assigned numbers if you add, remove, or rearrange device later. Use the switchcurrent-stack-member-number renumber new-stack-member-number global configuration commandto manually assign a stack member number.

If you replace a stack member with an identical model, the new device functions with the exact sameconfiguration as the replaced device. This is also assuming the new device is using the same member numberas the replaced device.

Removing powered-on stack members causes the switch stack to divide (partition) into two or more switchstacks, each with the same configuration. If you want the switch stacks to remain separate, change the IPaddress or addresses of the newly created switch stacks. To recover from a partitioned switch stack, followthese steps:

1. Power off the newly created switch stacks.

2. Reconnect them to the original switch stack through their StackWise Plus ports.

3. Power on the device.

For the commands that you can use to monitor the switch stack and its members, see the Displaying SwitchStack Information section.


Troubleshooting the Software ConfigurationPreventing Switch Stack Problems

Preventing Autonegotiation MismatchesThe IEEE 802.3ab autonegotiation protocol manages the device settings for speed (10 Mb/s, 100 Mb/s, and1000 Mb/s, excluding SFP module ports) and duplex (half or full). There are situations when this protocolcan incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances:

• A manually set speed or duplex parameter is different from the manually set speed or duplex parameteron the connected port.

• A port is set to autonegotiate, and the connected port is set to full duplex with no autonegotiation.

To maximize the device performance and ensure a link, follow one of these guidelines when changing thesettings for duplex and speed:

• Let both ports autonegotiate both speed and duplex.

• Manually set the speed and duplex parameters for the ports on both ends of the connection.

If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The speedparameter can adjust itself even if the connected port does not autonegotiate.

Note

Troubleshooting SFP Module Security and IdentificationCisco small form-factor pluggable (SFP) modules have a serial EEPROM that contains the module serialnumber, the vendor name and ID, a unique security code, and cyclic redundancy check (CRC). When an SFPmodule is inserted in the device, the device software reads the EEPROM to verify the serial number, vendorname and vendor ID, and recompute the security code and CRC. If the serial number, the vendor name orvendor ID, the security code, or CRC is invalid, the software generates a security error message and placesthe interface in an error-disabled state.

The security error message references the GBIC_SECURITY facility. The device supports SFP modules anddoes not support GBIC modules. Although the error message text refers to GBIC interfaces and modules, thesecurity messages actually refer to the SFP modules and module interfaces.

Note

If you are using a non-Cisco SFPmodule, remove the SFPmodule from the device, and replace it with a Ciscomodule. After inserting a Cisco SFP module, use the errdisable recovery cause gbic-invalid globalconfiguration command to verify the port status, and enter a time interval for recovering from the error-disabledstate. After the elapsed interval, the device brings the interface out of the error-disabled state and retries theoperation. For more information about the errdisable recovery command, see the command reference forthis release.

If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data informationto verify its accuracy, an SFP module error message is generated. In this case, you should remove and reinsertthe SFP module. If it continues to fail, the SFP module might be defective.


Troubleshooting the Software ConfigurationPreventing Autonegotiation Mismatches

Executing PingIf you attempt to ping a host in a different IP subnetwork, you must define a static route to the network orhave IP routing configured to route between those subnets.

IP routing is disabled by default on all devices.

Though other protocol keywords are available with the ping command, they are not supported in this release.Note

Use this command to ping another device on the network from the device:

PurposeCommand

Pings a remote host through IP or by supplying the hostname or network address.ping ip host | address

Device# ping 172.20.52.3

Monitoring TemperatureThe Device monitors the temperature conditions and uses the temperature information to control the fans.

Use the show env temperature status privileged EXEC command to display the temperature value, state,and thresholds. The temperature value is the temperature in the Device(not the external temperature).You canconfigure only the yellow threshold level (in Celsius) by using the system env temperature threshold yellowvalue global configuration command to set the difference between the yellow and red thresholds. You cannotconfigure the green or red thresholds. For more information, see the command reference for this release.

Monitoring the Physical PathYou can monitor the physical path that a packet takes from a source device to a destination device by usingone of these privileged EXEC commands:

Table 18: Monitoring the Physical Path

PurposeCommand

Displays the Layer 2 path taken by the packets fromthe specified source MAC address to the specifieddestination MAC address.

tracetroute mac [interface interface-id]{source-mac-address} [interface interface-id]{destination-mac-address} [vlan vlan-id] [detail]

Displays the Layer 2 path taken by the packets fromthe specified source IP address or hostname to thespecified destination IP address or hostname.

tracetroute mac ip {source-ip-address |source-hostname}{destination-ip-address |destination-hostname} [detail]


Troubleshooting the Software ConfigurationExecuting Ping

Executing IP Traceroute

Though other protocol keywords are available with the traceroute privileged EXEC command, they are notsupported in this release.

Note

PurposeCommand

Traces the path thatpackets take through thenetwork.

traceroute ip host

Device# traceroute ip 192.51.100.1

Redirecting Debug and Error Message Output

By default, the network server sends the output from debug commands and system error messages to theconsole. If you use this default, you can use a virtual terminal connection to monitor debug output instead ofconnecting to the console port or the Ethernet management port.

Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslogserver. The syslog format is compatible with 4.3 Berkeley Standard Distribution (BSD) UNIX and itsderivatives.

Be aware that the debugging destination you use affects system overhead. When you log messages to theconsole, very high overhead occurs. When you log messages to a virtual terminal, less overhead occurs.Logging messages to a syslog server produces even less, and logging to an internal buffer produces the leastoverhead of any method.

For more information about system message logging, see Configuring System Message Logging.

Note

Using the show platform forward CommandThe output from the show platform forward privileged EXEC command provides some useful informationabout the forwarding results if a packet entering an interface is sent through the system. Depending upon theparameters entered about the packet, the output provides lookup table results and port maps used to calculateforwarding destinations, bitmaps, and egress information.

Most of the information in the output from the command is useful mainly for technical support personnel,who have access to detailed information about the device application-specific integrated circuits (ASICs).However, packet forwarding information can also be helpful in troubleshooting.

Using the show debug commandThe show debug command is entered in privileged EXEC mode. This command displays all debug optionsavailable on the switch.

To view all conditional debug options run the command show debug condition The commands can be listedby selecting either a condition identifier <1-1000> or all conditions.

To disable debugging, use the no debug all command.


Troubleshooting the Software ConfigurationExecuting IP Traceroute

Because debugging output is assigned high priority in the CPU process, it can render the system unusable.For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessionswith Cisco technical support staff. Moreover, it is best to use debug commands during periods of lowernetwork traffic and fewer users. Debugging during these periods decreases the likelihood that increased debugcommand processing overhead will affect system use.

Caution

Configuring OBFL

We recommend that you do not disable OBFL and that you do not remove the data stored in the flash memory.Caution

•• To enable OBFL, use the hw-switch switch [switch-number] logging onboard [message level level]global configuration command. On switches, the range for switch-number is from 1 to 9. Use themessagelevel level parameter to specify the severity of the hardware-related messages that the switch generatesand stores in the flash memory.

The following applies to the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the CiscoCatalyst 9500 Series Switches. To enable OBFL, use the hw-switch switch [module-number] loggingonboard {application-name } global configuration command.

• To copy the OBFL data to the local network or a specific file system, use the copy onboard switchswitch-number url url-destination privileged EXEC command.

This does not apply to the C9500-12Q, C9500-16X, C9500-24Q, C9500-40Xmodels of the Cisco Catalyst 9500 Series Switches.

Note

• To disable OBFL, use the no hw-switch switch [switch-number] logging onboard [message level]global configuration command.

The following applies to the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the CiscoCatalyst 9500 Series Switches. To disable OBFL, use the no hw-module slot [module-number] loggingonboard {application-name } global configuration command.

• To clear all the OBFL data in the flash memory except for the uptime and CLI command information,use the clear onboard switch switch-number privileged EXEC command.

The following applies to the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the CiscoCatalyst 9500 Series Switches. To disable OBFL, use the no hw-module slot [module-number] loggingonboard {application-name } global configuration command.

To clear all the OBFL data in the flash memory except for the uptime, use the clear logging onboardRP active {application} privileged EXEC command.

• In a switch stack, you can enable OBFL on a standalone switch or on all stack members by using thehw-switch switch [switch-number] logging onboard [message level level] global configuration command.


Troubleshooting the Software ConfigurationConfiguring OBFL

• The following does not apply to the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of theCisco Catalyst 9500 Series Switches. To disable OBFL, use the no hw-module slot [module-number]logging onboard {application-name } global configuration command.

You can enable or disable OBFL on a member switch from the active switch.

For more information about the commands in this section, see the command reference for this release.

Verifying Troubleshooting of the Software Configuration

Displaying OBFL InformationTable 19: Commands for Displaying OBFL Information - Cisco Catalyst 9500 Series Switches - High Performance

PurposeCommand

Displays the OBFLCLI commands that wereentered on a module.

show logging onboard RP active clilog [ continuous | detail| summary ]Device# show logging onboard RP active clilog

Displays the UDI information for a moduleand for all the connected FRU devices: thePID, the VID, and the serial number.

show logging onboard RP active environment [ continuous| detail | summary ]Device# show logging onboard RP active environmentt

Displays the hardware-related messagesgenerated by a module.

show logging onboard RP active message [ continuous |detail | summary ]Device# show logging onboard RP active message

Displays the counter information on amodule.show logging onboard RP active counter [ continuous |detail | summary ]Device# show logging onboard RP active counter

Displays the temperature information of amodule.

show logging onboard RP active temperature [ continuous| detail | summary ]Device# show logging onboard RP active temperature

Displays the time when a module start, thereason the module restart, and the length oftime that the module have been running sincethey last restarted.

show logging onboard RP active uptime [ continuous | detail| summary ]Device# show logging onboard RP active uptime

Displays the system voltages of a module.show logging onboard RP active voltage [ continuous | detail| summary ]Device# show logging onboard RP active voltage


Troubleshooting the Software ConfigurationVerifying Troubleshooting of the Software Configuration

PurposeCommand

Displays the status of each OBFL applicationof a module.

show logging onboard RP active status [ continuous | detail| summary ]Device# show logging onboard RP active status

Table 20: Commands for Displaying OBFL Information

PurposeCommand

Displays the OBFLCLI commands that wereentered on a standalone switch or the specifiedstack members.

show onboard switch switch-number clilog

Device# show onboard switch 1 clilog

Displays the UDI information for a standaloneswitch or the specified stack members and forall the connected FRU devices: the PID, theVID, and the serial number.

show onboard switch switch-number environment

Device# show onboard switch 1 environment

Displays the hardware-related messagesgenerated by a standalone switch or thespecified stack members.

show onboard switch switch-number message

Device# show onboard switch 1 message

Displays the counter information on astandalone switch or the specified stackmembers.

show onboard switch switch-number counter

Device# show onboard switch 1 counter

Displays the temperature of a standaloneswitch or the specified switch stackmembers.

show onboard switch switch-number temperature

Device# show onboard switch 1 temperature

Displays the time when a standalone switchor the specified stack members start, thereason the standalone switch or specifiedstack members restart, and the length of timethat the standalone switch or specified stackmembers have been running since they lastrestarted.

show onboard switch switch-number uptime

Device# show onboard switch 1 uptime

Displays the system voltages of a standaloneswitch or the specified stack members.

show onboard switch switch-number voltage

Device# show onboard switch 1 voltage

Displays the status of a standalone switch orthe specified stack members.

show onboard switch switch-number status

Device# show onboard switch 1 status

Example: Verifying the Problem and Cause for High CPU UtilizationTo determine if high CPU utilization is a problem, enter the show processes cpu sorted privileged EXECcommand. Note the underlined information in the first line of the output example.


Troubleshooting the Software ConfigurationExample: Verifying the Problem and Cause for High CPU Utilization

Device# show processes cpu sortedCPU utilization for five seconds: 8%/0%; one minute: 7%; five minutes: 8%PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process309 42289103 752750 56180 1.75% 1.20% 1.22% 0 RIP Timers140 8820183 4942081 1784 0.63% 0.37% 0.30% 0 HRPC qos request100 3427318 16150534 212 0.47% 0.14% 0.11% 0 HRPC pm-counters192 3093252 14081112 219 0.31% 0.14% 0.11% 0 Spanning Tree143 8 37 216 0.15% 0.01% 0.00% 0 Exec...<output truncated>

This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%,which has this meaning:

• The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time spenthandling interrupts.

• The time spent handling interrupts is zero percent.

Table 21: Troubleshooting CPU Utilization Problems

Corrective ActionCauseType of Problem

Determine the source of the networkpacket. Stop the flow, or change theswitch configuration. See the section on“Analyzing Network Traffic.”

The CPU is receiving too manypackets from the network.

Interrupt percentage value isalmost as high as total CPUutilization value.

Identify the unusual event, andtroubleshoot the root cause. See thesection on “Debugging ActiveProcesses.”

One or more Cisco IOS processis consuming toomuch CPU time.This is usually triggered by anevent that activated the process.

Total CPU utilization is greaterthan 50% with minimal timespent on interrupts.


Troubleshooting the Software ConfigurationExample: Verifying the Problem and Cause for High CPU Utilization

Scenarios for Troubleshooting the Software Configuration

Scenarios to Troubleshoot Power over Ethernet (PoE)Table 22: Power over Ethernet Troubleshooting Scenarios

Possible Cause and SolutionSymptom or Problem

Verify that the powered device works on another PoE port.

Use the show run, or show interface status user EXEC commandsto verify that the port is not shut down or error-disabled.

Most switches turn off port power when the port is shutdown, even though the IEEE specifications make thisoptional.

Note

Verify that power inline never is not configured on that interfaceor port.

Verify that the Ethernet cable from the powered device to the switchport is good: Connect a known good non-PoE Ethernet device to theEthernet cable, and make sure that the powered device establishes alink and exchanges traffic with another host.

Cisco powered device works only with straight cable andnot with crossover one.

Note

Verify that the total cable length from the switch front panel to thepowered device is not more than 100 meters.

Disconnect the Ethernet cable from the switch port. Use a shortEthernet cable to connect a known good Ethernet device directly tothis port on the switch front panel (not on a patch panel). Verify thatit can establish an Ethernet link and exchange traffic with anotherhost, or ping the port VLAN SVI. Next, connect a powered deviceto this port, and verify that it powers on.

If a powered device does not power on when connected with a patchcord to the switch port, compare the total number of connectedpowered devices to the switch power budget (available PoE). Usethe show power inline command to verify the amount of availablepower.

Only one port does not have PoE.

Trouble is on only one switch port.PoE and non-PoE devices do not workon this port, but do on other ports.


Troubleshooting the Software ConfigurationScenarios for Troubleshooting the Software Configuration


If there is a continuous, intermittent, or reoccurring alarm related topower, replace the power supply if possible it is a field-replaceableunit. Otherwise, replace the switch.

If the problem is on a consecutive group of ports but not all ports,the power supply is probably not defective, and the problem couldbe related to PoE regulators in the switch.

Use the show log privileged EXEC command to review alarms orsystem messages that previously reported PoE conditions or statuschanges.

If there are no alarms, use the show interface status command toverify that the ports are not shut down or error-disabled. If ports areerror-disabled, use the shut and no shut interface configurationcommands to reenable the ports.

Use the show env power and show power inline privileged EXECcommands to review the PoE status and power budget (availablePoE).

Review the running configuration to verify that power inline neveris not configured on the ports.

Connect a nonpowered Ethernet device directly to a switch port. Useonly a short patch cord. Do not use the existing distribution cables.Enter the shut and no shut interface configuration commands, andverify that an Ethernet link is established. If this connection is good,use a short patch cord to connect a powered device to this port andverify that it powers on. If the device powers on, verify that allintermediate patch panels are correctly connected.

Disconnect all but one of the Ethernet cables from switch ports.Using a short patch cord, connect a powered device to only one PoEport. Verify the powered device does not require more power thancan be delivered by the switch port.

Use the show power inline privileged EXEC command to verifythat the powered device can receive power when the port is not shutdown. Alternatively, watch the powered device to verify that itpowers on.

If a powered device can power on when only one powered device isconnected to the switch, enter the shut and no shut interfaceconfiguration commands on the remaining ports, and then reconnectthe Ethernet cables one at a time to the switch PoE ports. Use theshow interface status and show power inline privileged EXECcommands to monitor inline power statistics and port status.

If there is still no PoE at any port, a fuse might be open in the PoEsection of the power supply. This normally produces an alarm. Checkthe log again for alarms reported earlier by system messages.

No PoE on all ports or a group of ports.

Trouble is on all switch ports.Nonpowered Ethernet devices cannotestablish an Ethernet link on any port,and PoE devices do not power on.


Troubleshooting the Software ConfigurationScenarios to Troubleshoot Power over Ethernet (PoE)


Verify all electrical connections from the switch to the powereddevice. Any unreliable connection results in power interruptions andirregular powered device functioning such as erratic powered devicedisconnects and reloads.

Verify that the cable length is not more than 100 meters from theswitch port to the powered device.

Notice what changes in the electrical environment at the switchlocation or what happens at the powered device when the disconnectoccurs.

Notice whether any error messages appear at the same time adisconnect occurs. Use the show log privileged EXEC command toreview error messages.

Verify that an IP phone is not losing access to the Call Managerimmediately before the reload occurs. (It might be a network problemand not a PoE problem.)

Replace the powered device with a non-PoE device, and verify thatthe device works correctly. If a non-PoE device has link problemsor a high error rate, the problem might be an unreliable cableconnection between the switch port and the powered device.

Cisco pre-standard powered devicedisconnects or resets.

After working normally, a Cisco phoneintermittently reloads or disconnectsfrom PoE.

Use the show power inline command to verify that the switch powerbudget (available PoE) is not depleted before or after the powereddevice is connected. Verify that sufficient power is available for thepowered device type before you connect it.

Use the show interface status command to verify that the switchdetects the connected powered device.

Use the show log command to review systemmessages that reportedan overcurrent condition on the port. Identify the symptom precisely:Does the powered device initially power on, but then disconnect? Ifso, the problem might be an initial surge-in (or inrush) current thatexceeds a current-limit threshold for the port.

IEEE 802.3af-compliant or IEEE802.3at-compliant powered devices donot work on Cisco PoE switch.

A non-Cisco powered device isconnected to a Cisco PoE switch, butnever powers on or powers on and thenquickly powers off. Non-PoE deviceswork normally.

Configuration Examples for Troubleshooting Software

Example: Pinging an IP HostThis example shows how to ping an IP host:

Device# ping 172.20.52.3

Type escape sequence to abort.Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds:!!!!!


Troubleshooting the Software ConfigurationConfiguration Examples for Troubleshooting Software

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msDevice#

Table 23: Ping Output Display Characters

DescriptionCharacter

Each exclamation point means receipt of a reply.!

Each period means the network server timed out while waiting for a reply..

A destination unreachable error PDU was received.U

A congestion experienced packet was received.C

User interrupted test.I

Unknown packet type.?

Packet lifetime exceeded.&

To end a ping session, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release theCtrl, Shift, and 6 keys and then press the X key.

Example: Performing a Traceroute to an IP HostThis example shows how to perform a traceroute to an IP host:

Device# traceroute ip 192.0.2.10

Type escape sequence to abort.Tracing the route to 192.0.2.10

1 192.0.2.1 0 msec 0 msec 4 msec2 192.0.2.203 12 msec 8 msec 0 msec3 192.0.2.100 4 msec 0 msec 0 msec4 192.0.2.10 0 msec 4 msec 0 msec

The display shows the hop count, the IP address of the router, and the round-trip time in milliseconds for eachof the three probes that are sent.

Table 24: Traceroute Output Display Characters


The probe timed out.*

Unknown packet type.?

Administratively unreachable. Usually, this output means that an access list is blocking traffic.A

Host unreachable.H

Network unreachable.N


Troubleshooting the Software ConfigurationExample: Performing a Traceroute to an IP Host


Protocol unreachable.P

Source quench.Q

Port unreachable.U

To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and releasethe Ctrl, Shift, and 6 keys and then press the X key.

Additional References for Troubleshooting SoftwareConfiguration

Related Documents



For complete syntax and usage information for the commands used inthis chapter.

Feature History for Troubleshooting Software ConfigurationThis table provides release and related information for features explained in this module.



Troubleshooting software configuration describeshow to identify and resolve software problemsrelated to the Cisco IOS software on the switch.


TroubleshootingSoftware Configuration



TroubleshootingSoftware Configuration


The hostname is prepended to the system-reportfiles. This makes the system-report files uniquelyidentifiable.

System-Report FilesCisco IOS XE Amsterdam17.3.1



Troubleshooting the Software ConfigurationAdditional References for Troubleshooting Software Configuration



Troubleshooting the Software ConfigurationFeature History for Troubleshooting Software Configuration

System Management Configuration Guide, Cisco IOS XE ...

Documents

Transcript of System Management Configuration Guide, Cisco IOS XE ...